Zoom security: Here's how Germany got its wires crossed over video-chat privacy

Germany is notoriously picky about digital privacy, but official warnings over video meetings have just sown confusion.
Written by Cathrin Schaer, Contributor

Germany's various commissioners for data privacy have been kept busy during the country's lockdown. Working from home, millions of citizens turned to online communications, including video conferencing and messaging services.

Recent research shows that 57% of Germans currently use video conferencing regularly, mostly for school or work.

But even as the word 'zoomen', or 'to zoom' entered the German popular lexicon, the country's privacy commissioners made it clear they had serious concerns about the video-chat service.

SEE: How to use Zoom: 15 tips and tricks (free PDF)

Most recently, in an interview with a local newspaper, the federal commissioner for data protection said public servants and German businesses should not be using Zoom for video conferencing. The German foreign office had already banned its staff from using the tool on official computers.

"When personal details are involved, it is advisable not to use this form of communication," Ulrich Kelber warned in the paper, Handelsblatt. "Alternative platforms should be chosen, which can guarantee genuine end-to-end encryption."

The previous week, Kelber had banned public servants from using the Facebook-owned messaging service, WhatsApp, because, he said, the service transmitted users' details back to its parent company.

As Germans worked from home, the same kinds of warnings were also issued at state level, with privacy commissioners in Bavaria, North Rhine Westphalia, Hamburg and Berlin all criticizing the data privacy of nearly all the most popular video-conferencing applications, everything from WebEx to Microsoft Teams to Zoom.

The result, as companies, schools and civil servants rushed to find a regulation-compliant solution for lockdown communication? Confusion.

"Recent statements by data-protection authorities on the subject of video conferencing leave many companies at a loss," Susanne Dehmel, a lawyer and board member at Bitkom, Germany's association for digital business, which represents more than 2,700 companies, tells ZDNet.

"Instead of blanket condemnations…, we believe that it would be much more helpful if data-protection authorities explained how video conferences can be used in a way that complies with data-protection regulations."

German technology site Heise asked officials at data-privacy commissioner Kelber's office if they could perhaps recommend other services to replace Zoom. At the same time, the site pointed out that Skype, Microsoft Teams, and Google Meet didn't have end-to-end encryption either and queried whether the commissioner would also be issuing warnings against those services.

A spokesperson for Kelber's office replied that it couldn't make any recommendations for other services and conceded that the office had not actually tested any of the services itself. Its assessments of Zoom were based on information in the public domain, it said.

Meanwhile in Berlin, state privacy authorities were forced to issue a new version of their guidelines on video conferencing. These contained security warnings about Microsoft Teams and Skype for Business because they didn't have end-to-end encryption.

In a May 5 letter to the authorities, Microsoft complained that the guidelines were inaccurate, damaged its reputation and would have commercial repercussions. It also said it had not been contacted by the Berlin authorities about the warnings.

Attorney Stefan Hessel, a specialist in data-protection law at Reuschlaw Legal Consultants in Berlin, used the Freedom of Information Act to obtain a copy of yet another of the Berlin data-protection authority's reviews, this time about Zoom.

He was critical of the apparent failure, as with the Microsoft cautions, of any of the data-protection commissioners to have contacted Zoom before issuing warnings.

"I don't think that's really in order," Hessel tells ZDNet. "If there are such strong limits issued [on what can be used] then you can imagine that many customers will stop using certain applications. There will be financial repercussions for the company. So it's important to talk to them so they can defend themselves."

Bitkom's Dehmel agreed: "It would be helpful if regulators talked to video-conferencing system providers before issuing privacy warnings," she noted.

A spokesperson for Zoom in Germany told ZDNet that the company had been making steady progress with its planned 90-day security upgrade, which became necessary after the massive increase in use put more focus on Zoom's security, user privacy and transparency.

SEE: Zoom video conferencing: Cheat sheet (free PDF)

For example, since April 18, it has been possible for paid Zoom users to choose where their data travels. One of the issues that came up recently in Germany, and which started the federal foreign office's ban of the service, was the routing of some Zoom calls through Chinese servers. But now, users can decide where their data should not travel.

Zoom's planned upgrade also includes the ambitious goal of developing end-to-end encryption for video conferencing. That is the kind of thing federal privacy commissioner Kelber wants but which experts say is extremely difficult to achieve with video conferencing for a large number of people.

Usually text-based messages sent during a video conference are end-to-end encrypted. However audio-visual data is not.

Currently Zoom, Microsoft Teams and many other video-conferencing services, use what's known as transport encryption. Messages are encrypted as they travel from computer to computer – so that no third party can access the information if, for example, they might be spying on a Wi-Fi connection.

However video and audio content doesn't stay encrypted once it reaches the recipient's computer, which means that the service provider – Zoom, or others – could ostensibly access the content.

It is unclear whether German data-protection officials took the most recent improvements into account. Asked by ZDNet whether it thought that was fair, Zoom replied only that the company was "in communication with government agencies around the world and is focused on providing the information they need to make informed decisions about their policies".

So are the warnings from German privacy commissioners overstated or not? Yes and no, says Joerg Pohle from the Alexander von Humboldt Institute for Internet and Society in Berlin, who heads a data-governance and cybersecurity project.

"If we're just talking about security, then their claims are not exaggerated. However it's very hard to achieve what they want [end-to-end encryption for multi-user video conferencing]. Up until now, nobody has managed to do this," argues Pohle.

Pohle maintains that the best option is trustworthy, transparent service providers and a platform, most likely open source, operating on a local server, that users can manage themselves – something like Jitsi Meet, he suggests.  

However, on Monday, one German cybersecurity expert wrote an editorial supporting Zoom. "As far as I can see, this is currently our only chance at mass market end-to-end encryption for video conferencing," Jürgen Schmidt argued. "Give them a little time to prove themselves."

On the other hand, being able to trust the service you use also plays a big role, Pohle adds, something that has proved difficult with Zoom. In fact, during a conference call this week, Zoom's CEO Eric Yuan reportedly suggested that if and when end-to-end encryption did come to the service, those using it for free wouldn't be able to access it anyway.

Because, Yuan said, "We also want to work together with the FBI, with local law enforcement in case some people use Zoom for a bad purpose."

SEE: The complete Zoom guide: From basic help to advanced tricks

Dehmel, Bitkom's expert on digital law and security, argues that in Germany this debate illustrates a fundamental problem.

"[That is] the great inconsistency in the interpretation of data-protection rules. The GDPR is very comprehensive and, at the same time, very abstract. Questions of interpretation often arise. A little more practical assistance from the supervisory authorities here could promote data protection better than just finger wagging," she argues.

As the situation stands right now in Germany, all the bans and warnings don't seem to have made a huge difference. Staff at universities and schools are continuing to be bewildered about how they can safely communicate with students. Many users say Zoom still has the easiest-to-use and most reliable interface.

Obviously not all online events need to be encrypted and an online survey of over 17,000 tech magazine readers found that most – around 45% – still used Zoom or Microsoft Teams. A third used alternative services.

And even a cursory glance at social-media channels indicates that a lot of German politicians and public servants are also still using Zoom to host meetings – including, until relatively recently, the country's federal data-privacy commissioner Ulrich Kelber himself

Editorial standards