Zoom Surprise: According to a new report, it's actually safer than FaceTime

Zoom Surprise: According to a new report, it's actually safer than FaceTime

Zoom has had a rough time in recent press regarding privacy and security issues [Editor's note: This article has been updated with a reply from Mozilla explaining their research methodology]

However, according to the new report, Zoom meets the same security standards as other virtual meeting services such as Google's Hangouts app and Skype, and even scores higher than Apple's FaceTime But your friends' and family's favorite Zoom alternative may not

A report released today (April 28) by Mozilla, the Firefox browser maker and web privacy pioneer, gives Zoom an almost backhanded award: "meets our minimum security standards" But don't be discouraged by that: while FaceTime received a 45/5, Zoom received a 5/5 security rating

According to Mozilla, this means that Zoom meets "the requirements that all products must meet in order to be sold in stores"

In Zoom's case, it is distributed online for free

Zoom's 5/5 score in the report includes points for using encryption, but Mozilla says, "Zoom does use encryption; Zoom does use encryption, but not end-to-end encryption

The remaining "perfect score" for Zoom is earned by the fact that the client software receives multiple security updates each month, that Zoom requires a strong account password, that Zoom offers a vulnerability reporting program, and that Zoom's privacy policy is earned by posting it online

This is a pretty good minimum threshold, but the study raises some questions

Google's Duo, Hangouts, and Meet (even Mozilla thinks Google has too many messaging apps) collectively received 5/5 stars, but this article exposes the flaws in the report

"Google Duo," Mozilla says, "is the only one of the three apps that claims to use end-to-end encryption"

It is difficult to see how Mozilla came to its conclusion about the encryption of all the video calling services it investigated; did Mozilla conduct a technical investigation and capture all data packets originating over Wi-Fi? Or did they rely on the good and bad encryption of each service?

Mozilla seems to have chosen the second option The survey footer reads: "The information provided here was taken directly from the product's website

Individual reports, such as Microsoft Teams, state: "Microsoft Teams uses encryption; Microsoft Teams does not appear to use end-to-end encryption; Microsoft Teams does not appear to use end-to-end encryption; Microsoft Teams does not appear to use end-to-end encryption

This is not a clear conclusion When we asked Mozilla for more information, Ashley Boyd, Mozilla's Vice President of Advocacy and Engagement, said, "We would look at the privacy policy and other documents, examine the app's features and controls, read relevant news reports, and if clarification is We need to contact the company if we need clarification"

Boyd responded that Mozilla had "examined the app's privacy policy and other written materials" and confirmed that there was no analysis of technical encryption

If any of these services are found to be lying about their encryption standards or implementation (as was the case last month when The Intercept proved that Zoom's "end-to-end encryption" was bogus), the scoring of the investigation There may be a need to update the scoring of the survey

All of the requirements listed appear to be basic standards, but not all are met Houseparty, which recently caused its own (perhaps misguided) security furore, received a failing score of 4/5 (despite using encryption)

This is because Houseparty's password requirements are weak, with a minimum of only five characters; it even forced Mozilla researchers to use "12345" as a password

Discord (which also uses encryption) also received a failing score of 4/5 due to its low password criteria (a minimum of six characters, "111111" is allowed)

Apple's FaceTime received a passing score of 45/5, but this was due to the low password criteria set for FaceTime calls "

But FaceTime has end-to-end encryption - at least that's what Apple says

Categories