Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

Zoom Changes Course and Gives All Users End-To-End Encryption, Provided They Give up Additional Personal Information

Wednesday, July 8, 2020

Categories: ASCF News Emerging Threats Cyber Security

Comments: 0

The popular but embattled video conferencing platform Zoom seemed to wander into another minefield earlier this month, as it announced the rollout of end-to-end encryption but appeared to be limiting it to business and enterprise accounts. The move stirred up controversy as Zoom CEO Eric Yuan said rather bluntly on an earnings call that it was done to give law enforcement access to individuals using the platform for crimes such as sex trafficking.

The company has now chosen to navigate around this problem in a different way. Free users and those subscribed to the individual “Pro” plan will be allowed to enable end-to-end encryption, but will have to provide additional personal information to do so.

How Zoom’s new free end-to-end encryption works

A blog post from the company gave preliminary details on how the new end-to-end encryption feature, which is slated to go active sometime in July, is planned to work. “Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts … This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform” said Yuan.

In other words, the process for free users to enable end-to-end encryption appears to be similar to the mandatory two-factor authentication (2FA) schemes that sites like Amazon now require to secure user accounts. In addition to an email address, Zoom users will need to provide something like a valid phone number to receive a verification call or text message at to receive a code to be entered back into the site. Once verified in this way, users will be able to join calls in which the call administrator has toggled on the end-to-end encryption feature.

The details are not yet finalized, but Zoom has shared an overview in the form of a whitepaper hosted on Github. The original plan for end-to-end encryption had limited it to the organizational tiers of the paid version of the service, which would have required users to have some sort of company account to make use of it.

Zoom’s end-to-end encryption problem

Zoom has weathered a long chain of criticisms and controversies regarding its security and data handling practices since the company’s sudden and unexpected growth due to the Covid-19 pandemic. It has struggled to scale up what were initially modest security offerings when it was a convenience-focused business tool of middling popularity prior to widespread global lockdowns and social distancing measures.

One particular problem for the company has been the rapid adoption of the platform as a tool for schools to conduct virtual classrooms. Zoom suddenly onboarded a massive amount of young users due to school closures, a demographic the company was clearly not prepared for. Child sex trafficking was an existing problem on the platform even before the pandemic, with abusers taking advantage of its anonymous nature to trade child porn and put on virtual “shows.” The problem has become more acute with the added presence of millions of homebound children during the school year, giving rise to serious concerns about grooming and the use of techniques such as “Zoombombing” to gain unauthorized access to their spaces.

Under the original plan, children would have needed an account provided by a school subscribed to Zoom’s paid services to be protected by end-to-end encryption. Civil rights groups also spoke out against the initial proposal, pointing out that potentially vulnerable political speech and organization would have gone unprotected and could have been readily eavesdropped on by authorities.

Unless a backdoor is added, end-to-end encryption ensures that only the participating parties have access to the video calls and any files shared during a conference. Zoom staff are not able to access the call, nor are law enforcement even if a warrant is obtained. An outside party would need physical access to the encryption key on a user’s device along with their password to be able to access their communications on the platform.

One of Zoom’s bigger controversies this year was that it had been falsely advertising end-to-end encryption on the platform until early April. It was discovered that this was not true; Zoom had simply made a “promise” to not decrypt transmissions across their platform rather than actually implementing true end-to-end encryption. The decryption keys were stored on Zoom’s servers, some of which were in China (giving the country’s government the ability to access communications at will). The site was also found to be using an outdated form of more basic encryption, something that has since been updated to a standard that is more secure and modern.

Zoom’s new encryption will still have issues & limitations

Though Zoom’s new end-to-end encryption option is a welcome change, it will still have some limitations. Call admins will have to toggle it off for participants using regular PSTN landlines or SIP/H.323 legacy conference room phones; it appears there will be an option to toggle it off for specific users, but some may simply leave it off all the time to avoid the confusion and extra work. End users will also be reliant on the call admin being vigilant about toggling it on for each session. And at Zoom’s end, the added steps on account creation are not a complete solution to the creation of abusive accounts; determined threat actors can still create a free anonymous phone number with services such as Google Voice, or use an inexpensive burner phone.

Photo and Link: https://www.cpomagazine.com/data-privacy/zoom-changes-course-and-gives-all-users-end-to-end-encryption-provided-they-give-up-additional-personal-information/

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.

Search