Richard Blumenthal, the US senator sponsoring a bill that critics say will limit the use of encryption, is calling for an investigation of video-conference provider Zoom, in part over its false claim it offered… end-to-end encryption.
The Connecticut Democrat is a sponsor of the EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act bill that would create incentives for companies to make changes to their platforms. In return, the companies would receive liability protections for any violations of laws related to online child sexual abuse material. Critics of the proposed law, who include the Electronic Frontier Foundation and Sen. Ron Wyden (D-Ore.), say it’s a Trojan horse designed to allow the government to weaken end-to-end encryption.
A pattern of privacy infringements
Citing a “pattern of security failures & privacy infringements,” Sen. Blumenthal on Tuesday called for the FTC to investigate Zoom. Chief among cited privacy infringements is the claim on the Zoom website that meetings were end-to-end encrypted, meaning video, audio, and text was encrypted at all times in transit, and couldn’t be decrypted by Zoom or anyone else, other than conference participants. A post published last week by The Intercept reported that Zoom meetings, in fact, used what’s usually called transport encryption, which allows Zoom to decrypt meeting data.
Researchers from Citizen Lab, the University of Toronto group that investigates security and hacking, further reported serious weaknesses in Zoom’s encryption regimen. One flaw was that Zoom “rolled its own” encryption scheme, meaning it used custom algorithms rather than standards that had been widely tested over years. Another flaw: the company’s use of servers located in China to route meetings for North American participants and distribute encryption keys.
Blumenthal on Tuesday wrote: “The facts & practices unearthed by researchers in recent weeks are alarming—we should be concerned about what remains hidden. As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy & security.”
The facts & practices unearthed by researchers in recent weeks are alarming—we should be concerned about what remains hidden. As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy & security.
— Richard Blumenthal (@SenBlumenthal) April 7, 2020
While Tuesday’s tweets don’t explicitly refer to Zoom’s encryption transgressions, Blumenthal addressed them directly last week when he penned a letter to Zoom CEO Eric Yuan. His tweet accompanying the letter included a link to The Intercept article.
Millions of Americans are now using @zoom_us to attend school, seek medical help, & socialize with their friends. Privacy & cybersecurity risks shouldn’t be added to their list of worries. I’m calling for answers from Zoom on how it handles our private data. https://t.co/CEg1P3T3S1 pic.twitter.com/Vl9XyvxZjb
— Richard Blumenthal (@SenBlumenthal) March 31, 2020
“Despite claims in security papers and advertisements that Zoom offers end-to-end encryption for its meetings, technical analysis from The Intercept found that it does not protect the privacy of communications using this form of encryption,” Blumenthal wrote in the March 31 letter. “Zoom users deserve clear and correct answers about how it protects the safety of its users and meetings.” Blumenthal went on to request Zoom to describe when end-to-end encryption is available and how personal data is encrypted.
Watering down encryption
The EARN IT act would designate a commission that would develop “best practices” for Internet services to prevent online online child exploitation. Sponsors introduced the bill after US Attorney General William Barr has repeatedly called for encryption backdoors to prevent law enforcement from going dark. Riana Pfefferkorn, the associate director of surveillance and cybersecurity at Stanford Law School’s Center for Internet and Society, has said the best practices are “pretty much up to the AG to determine.” Previously, the group has said the bill is an attempt to “ban end-to-end encryption without actually banning it.”
The EFF, meanwhile, has said that the commission, which currently numbers 19, would be “dominated by law enforcement agencies” that have repeatedly urged tech companies to weaken encryption and implement the same backdoors Barr has demanded.
By definition, end-to-end encryption can’t have backdoors. Sen. Blumenthal, whose staff didn’t return a call seeking comment for this post, seems to want things both ways—end-to-end encryption to protect Zoom users and, at the same time, a law widely believed to be an attempt to undermine it.