[londons_explore]

> don't think security was the primary reason for Zoom taking off. It was stability

Stability was the main draw, but company IT departments would have had more power to ban it if there were bigger and clearer risks of corporate secrets escaping.

[mfer]

Industrial espionage is real. There are many companies who are concerned about this and take active steps to keep data secret who would likely not have approved zoom use if they'd known e2e encryption wasn't to the level they were told.

Some folks are concerned with more than stability and ease of use.

[moduspol]

It's difficult to imagine a company that cares that much about keeping their video chat data private, but would use any third party service.

That doesn't justify zoom making false claims--I just don't think the companies you're describing would be using zoom.

[Spearchucker]

Once can't just delegate responsibility like that. Any company should enage in some form of due dilligence before procuring software. If there are expecations of privacy then those should be proven by the company procuring the software, not the vendor.

[mysterydip]

How would you verify e2e encryption on a proprietary protocol? Not every company that cares about privacy has crypto experts on staff. They should have a reasonable expectation that the vendor is telling the truth.

[posix_me_less]

1. Is the software proprietary? Liability, Denied.

[jkepler]

You can't. Don't trust, but verify. If a company or individual needs strong privacy, they should verify any encryption claims.

This would mean using only libre/open source software like Jitsu or Linphone, as one could verify the code or higher experts to verify the code.

[jfrunyon]

So it's okay that Zoom lied because users should have reverse engineered it to verify that what Zoom said about their own product was true?

[rndgermandude]

No, if a company was really worried they shouldn't have opted for a cloud product with a (partly) Chinese-owned company. A lot of companies go through the trouble of giving their employees (especially management) "throw away" phones and/or computers when they send them to "problematic" places, in particular China, but then they install Zoom for their C-level and middle management executives to use, huh?

[peteradio]

But everybody knows C-level and middle-management don't actually know anything or do anything. Have at it! Its like spamming the spammers.

[ClumsyPilot]

You know what it's called when you purposefully lie about your products or services to gain an advantage? Fraud.

If this was happenening in any other industry (except fonance?), the perpetrators would be in jail.

[AmericanChopper]

Any company IT department's power to ban something is inversely related to how much it's users want to use it. Also, the videoconference provider stealing company secrets it not part of most companies threat model. Teams and Slack are incredibly popular corporate tools, and neither of them offer this feature. WebEx is the only reasonably popular tool I can think of that supports it, and any security department that cared strongly about E2EE, would be asking questions like "do you perform key escrow" if they were thinking of migrating off something like that.

[baskire]

Why isn’t it? I highly suspect the CCP stole trade secrets with zoom.

[AmericanChopper]

Because in order to operate a business (or any organization), you have to at some point decide on a group of service providers and other 3rd parties that you trust. For most organizations, trusting a major videoconferencing vendor is going to be within their risk tolerance. For some organizations (or for some use-cases within organizations) this wouldn't be acceptable (or perhaps trusting Zoom wouldn't be acceptable, where a different vendor might be), but at this point you're starting to stray outside of Zoom's target market and into a set of more specialized requirements.

Defending against sophisticated state-level actors goes even further beyond the requirements of most businesses. Unless you had a specific reason to believe that you were a target of such actors (dealing with national security, or matters of significant national strategic importance), you couldn't justify investing much resource into such defensive measures.

[BlueTemplar]

Does it really take that much for a company to be an interesting target for industrial espionage ?

[rndgermandude]

Or state secrets, or court secrets, or just preventing random zoom admins from watching children in virtual class rooms.