[CivBase]

> While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.

So you knew that your users would misinterpret the term "end-to-end encryption" but chose to use it anyways. And you somehow expect us to believe you "never intended to deceive any of [your] customers"?

> The goal of our encryption design is to provide the maximum amount of privacy possible while supporting the diverse needs of our client base.

This statement is at odds with the statement that immediately follows.

> To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.

If you do not decrypt it at any point, then you are admitting you have no legitimate need to decrypt it. If you have no legitimate need to decrypt it, but are retaining the ability to decrypt it anyways, then you are not providing the "maximum amount of privacy possible". If you are communicating between two Zoom clients, then there does not seem to be a reason not to use true end-to-end encryption.

I'm 100% fine with Zoom offering solutions without true end-to-end encryption. The way they have described their "Zoom Connector" solution, I think they've already gone above and beyond most of their competitors. However, that absolutely does not excuse how they have deliberately mislead their users.

[paul_f]

I don't agree there is a common definition of end-to-end encryption. Ask a random, non-technical co-worker what they think it means and you might get an answer that matches Zoom's marketing claims.

[CivBase]

I feel like "end-to-end encryption" is a mostly self-explanatory term. All data passed from one end to the other is encrypted.

The point of encryption is to ensure that third parties cannot read your data. If a third party has the power to decrypt and read the data, then it's already misleading to advertise it as "encrypted". That would be like advertising a pair of boots as "waterproof" when they only actually prevent water from entering via the soles.

If the data is encrypted by one end, decrypted by a third party, and received at the other end unencrypted, then the encryption is not "end-to-end". I'm not sure how you could possibly interpret that part any other way.

[rjmunro]

But that's not the question here. That's only talking about when there is a connector involved. For a zoom-zoom only chat, if my encryption works by:

* I generate a key * I give it to you and another party * You and the other party then chat through my service * I pass the messages between you but don't bother to decrypt them

Does that count as end-to-end encryption? At any time, I could decide to decrypt the message (even months later if it is logged).

[ironmagma]

Since it’s a technical term being used to communicate technical information, it really doesn’t matter what a nontechnical person would think it means.