Are you saying that Zoom is recording conversations?

Zoom offers a service to record meetings in the cloud, as almost all providers do. So they can intercept, and can probably be compelled to do so by court order.

E2E is something nerds complain about.

I'll be the first to admit that I am very far from a crypto expert, but - does this implication necessary follow? Couldn't they just be recording and persisting the (encrypted) stream, and then making it available to "someone who has the key"?

That might work for a 2 party call. But I was on a call this afternoon with 70 participants — which of the 70 recordings do you want to keep?

It’s a hard problem, which gets much easier and delivers a better UX if you can trust the service provider. Also consider why you trust 70 meeting participants more than Zoom/Microsoft/Google/Verizon?

It's not that hard. Instead of generating 70 end-to-end encrypted recordings of your meeting, you just generate 70 end-to-end encrypted packets with a shared symmetric key inside that allow you to decrypt the meeting encrypted with that shared key. You only need one version of the recording because there is only one symmetric key, but you transmit that to each client using their public/private keypair.

> consider why you trust 70 meeting participants more than Zoom/Microsoft/Google/Verizon?

For the very simple reason that "the people that I choose to communicate with are people that I have chosen to communicate with", whereas the communication medium chosen is "the least-bad available". I am able to take whatever other measures I wish via other channels to verify and built-trust-in the participants, but I cannot do so with the communication medium owner.

The Zoom backend serves as a router for (possibly hundreds) individual encrypted streams of audio and video during a meeting. In order to support a cloud-save feature, they must first decrypt those streams in order to re-encode them into a unified multimedia file. Even if they were to store encrypted versions of all of these individual audio/video streams, how would they ultimately present that back to the user on request? There is no practical or easy way to do this.

> Even if they were to store encrypted versions of all of these individual audio/video streams, how would they ultimately present that back to the user on request? There is no practical or easy way to do this.

You would play it similar to how you attend a Zoom meeting. They could probably reuse most of the client code for this feature. But yes, I agree this is likely not the user experience that most users want.

I think he's saying that Zoom can record conversations. Not that they actually are.

Well, yes, definitely. It isn’t a peer-to-peer architecture, so at some point Zoom is storing files that correspond to your video calls. At some point I’m sure they’re deleted but someone with a subpoena can access them before they are. End-to-end encryption means there is never any window when a government could mandate access.

I would have thought they were never stored on disk (by Zoom anyway, maybe by the NSA and the Chinese). Wouldn't that require a huge amount of space?

Where do you think the training data for the background replacement algorithms came from?