[geofft]

OK, that would be serious flaw, and also the current blog post states clearly that they do, so if that's a lie, then we have a much bigger problem on our hands than whether they should be using the term "end-to-end encryption."

> To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.

[wilg]

Well, it says they "do not decrypt it" not that they "cannot decrypt it".

[geofft]

Sure, but they're making a claim that they cannot decrypt it without you noticing. If a Zoom employee wants to monitor your call, they'll show up as a participant. If you have a 5-person meeting and nobody is joined by phone, and there are 5 people on the call plus one phone bridge, you know some eavesdropper (perhaps Zoom, perhaps someone who's good at guessing conference IDs) has joined.

(I would hope their system is architected in such a way that clients enforce this and do not trust the server for the participant list. If they don't, then I'd take issue with that part of their blog post. But also I'd argue that in practice systems like Signal or iMessage can MITM your traffic if you really want, so I'm not convinced this is meaningfully worse for users even so....)