Zoom alternatives may not be more private: a look at videoconferencing apps’ encryption schemes

Zoom, one of the hottest tech companies during the coronavirus pandemic, came under attack lately for its security practices.

As the videoconferencing service suddenly became a household name (no pun intended) among people taking shelter at home, it is also accused of failing to end-to-end encrypt their video calls and compromising user privacy. 

End-to-end encryption scrambles video, audio and text content in a way that it can only be accessed by senders and intended recipients, while service providers have no means to decrypt them. This is usually achieved by only having participating users know the keys that can decrypt messages and let service providers relay these encrypted messages from senders to recipients. 

Most of the messaging tools on the market do not guarantee end-to-end encryption partly due to law enforcement concerns, but also because of the clumsy user experience it may bring. For example, the scheme makes it difficult to synchronize messages on various devices and integrate third-party applications. 

For video and audio meetings, end-to-end encryption presents more challenges. To implement it, audio and video stream for each participant needs to be separately encrypted with its own unique key and then send to other conference participants. This introduces problems such as expanded data packet size and encrypting/decrypting latency that can cause image delay and degraded connection quality. 

In October last year, long term bitcoin supporter and engineer Jameson Lopp shared a spreadsheet on Twitter, which evaluated around 70 messaging apps based on their security, capability, usability and other criteria. Some of the most widely used videoconferencing apps such as Zoom, Google Hangouts Meet and Slack do not perform well on the list. 

As such, the Block reviewed the security practices of a few of the most popular videoconferencing tools on the market and found that there may be no perfect alternative to Zoom in terms of privacy and security. 

Zoom 

First, let’s recap Zoom’s problem. 

The video conferencing app was once touted for providing better user experience and video quality than its competitors. However, this convenience may be based on sacrificing security.  

As The Intercept reported, although Zoom claims that it secures meetings “with end-to-end encryption,” it is, in fact, referring to the two endpoints as users and Zoom’s servers instead of users themselves. 

In other words, media streams flowing from users to Zoom would be encrypted during the transition but decrypted once they pass Zoom’s firewall. Zoom then re-encrypts these media streams before sending them to their designated recipients.

This practice, known as transport encryption, is widely used by messaging and videoconferencing tools on the market. Since Zoom can still access the video content, it can also record it and send the recording to meeting participants later – a feature that the platform is known for. However, it also exposes users to potential security risks associated with Zoom's servers and compromises user privacy as Zoom can view all meeting content. 

Google Hangouts Meet

Google Hangouts Meet, another popular videoconferencing service, does not seem to advertise end-t0-end encryption like Zoom. 

The company’s G Suite website simply states all video and audio streams in Google Hangouts Meet are encrypted, without specifying what kind of encryption scheme they use. 

It also points out in a Q&A that when there are only two users, a peer to peer connection may be established. This connection allows users to directly send media streams between each other and avoid routing the media streams to Google’s server. 

However, Google admitted to Vice in 2015 that Hangouts did not use end-to-end encryption after it was accused of a lack of clarity surrounding its encryption settings. Although publicly available information is scant, it does not seem that the company has implemented end-to-end encryption since then. 

The firm has not responded to The Block's request for comment. 

Slack 

As Slack states in its security white paper, the company secures data both “at rest” and “in transit,” meaning that like Zoom, it implements transport encryption between clients and the company’s servers.

However, it also does not offer end-to-end encryption by default and appears to have no plan to make it available soon. In spring 2019, the messaging app's head of enterprise product Ilan Frank reportedly stated that end-to-end encryption would put too many limitations on the platform, disabling it from providing features such as chat search function and third-party application integrations. 

“There are many, many limitations," said Frank at the time. "We figured we could do it that way, but then what we would be doing is making Slack into just a chat tool, similar to iMessage or WhatsApp, and that is not what our customers are asking for."  

However, the popular messaging app did roll out the so-called Slack Enterprise Key Management function last year, which allows the app's enterprise clients to use their own encryption keys without Slack gaining access to them. 

Skype 

Skype, a long-standing videoconferencing service owned by Microsoft, does have end-to-end encryption, to a certain extent. 

In 2018, Skype launched private conversations – a feature that allows users to hold audio calls and transfer files with the end-to-end security by deploying the Signal Protocol, which is what Signal and WhatsApp use to secure messages. 

According to Skype’s white paper about this feature, participating parties of a private audio call must first initiate a private conversation session. During the session, a randomly generated encryption key will be shared that allows the sender to encrypt and the recipient to decrypt the audio stream. 

However, this service is not available for video conferencing, which is still using the Advanced Encryption Standard (AES), a specification for encryption established by the U.S. government in 2001. 

FaceTime

FaceTime and iMessage, which are only available to Apple users, is one of the few known communication apps that use end-to-end encryption. Because of this feature, the company was entangled in a series of legal troubles in 2016 when it refused to provide the Federal Bureau of Investigation (FBI) access to an iPhone. 

However, FaceTime is not all perfect. In January 2019, Apple had to pause all group chats in order to fix a bug that allowed users to eavesdrop on someone they are calling before that person picks up the call. 

Additionally, even though messages sent via iMessage are end-to-end encrypted, they can still be accessed by Apple once they are uploaded to iCloud for backup and syncing purposes. According to a recent Reuter report, Apple considered end-to-end encrypting all backup data on iCloud too. However, it eventually dropped the plan two years ago under pressure from the FBI. 

It is also worth mentioning that end-to-end encryption does not guarantee complete security and privacy. Rather, the scheme still has various points of vulnerability, such as the aforementioned cloud backup concern and the metadata that message apps can collect to reveal users' personal information. 

Security concerns surrounding video conferencing services remain at the forefront for those working from home. Though Zoom has been put under the microscope, the security schemes of its competitors can present similar worries, meaning users will have to find the right service to match their security needs.