Skip to main content

Zoom surprise: New report says it's actually safer than FaceTime

Zoom privacy security
(Image credit: Zoom; Fox)

Zoom has had a rough go of it in the press as of late when it comes to privacy and security issues. [Editor’s note: This article has been updated with a reply from Mozilla explaining its survey methodology.]

But according to a new report, Zoom meets the same security standards as other virtual meeting services, such as Google's Hangouts apps and Skype, and even scores higher than Apple's FaceTime. Your friends & family's favorite Zoom alternative, however, may not. 

The report published today (April 28) by Firefox browser maker and web privacy vanguard Mozilla gives Zoom an award that almost sounds backhanded: "Meets Our Minimum Security Standards." But don't let that dissuade you: Zoom got a security rating of 5/5 in the report, while FaceTime got only 4.5/5. 

According to Mozilla, this means Zoom fulfills the requirements that "all products should meet in order to be sold in stores." Or in Zoom's case, given out for free online.

Zoom's 5/5 score on the report includes winning a point for using some encryption, even though Mozilla notes that while "Zoom uses encryption. It does not use end-to-end encryption." 

The rest of Zoom's "perfect" score is earned by the client software getting multiple security updates each month, Zoom requiring strong account passwords, Zoom providing a program for reporting vulnerabilities and Zoom publishing a privacy policy online. 

Show me the data

That's a pretty good minimum threshold, but we've got some questions about the survey.

Google's Duo, Hangouts and Meet (even Mozilla thinks Google has too many messaging apps) collectively got 5/5 stars, but the write-up exposes a flaw in the report. 

"Google Duo" Mozilla says, "is the only one of the three apps that claims to use end-to-end encryption."

It's hard to see how Mozilla reached its conclusions about the encryption of every video-call service it examined. Did Mozilla do a technical examination, capturing every data packet as it went out over Wi-Fi? Or did it just take each service's word for how good the encryption was?

It sounds like Mozilla chose the second option. The footer of the study notes: "The information provided here is pulled directly from the product website." 

Individual reports, such as the one for Microsoft Teams, can be a bit fuzzy: "Microsoft Teams uses encryption. It does not appear Microsoft Teams uses end-to-end encryption." 

That's not much of a definite conclusion. We reached out to Mozilla for more information and Mozilla’s VP of Advocacy and Engagement, Ashley Boyd, responded, saying it "entailed combing through privacy policies and other documentation; examining the apps' features and controls; reading relevant news coverage; and corresponding with companies when clarification was needed." Boyd confirmed the absence of technical encryption analysis, saying Mozilla "studied apps' privacy policies and other documentation materials."

Taking their word for it

If any of these services is ever found to be lying about its encryption standards and implementation (such as when The Intercept proved last month that Zoom's "end-to-end encryption" was bogus), the study's scoring may need to be updated.

The stated requirements all seem like basic standards, but they're not met by all. Houseparty, which has had its own (likely misguided) security kerfuffle recently, got a failing 4/5 score (even though it uses some encryption). 

That's due to Houseparty's weak password requirements, which have only a five-character minimum. It even let Mozilla's researchers use "12345" as a password. 

Discord (which also uses encryption) also got a failing 4/5 score because of poor password standards (six-character minimum, "111111" allowed).

Apple's FaceTime got a 4.5/5 passing score, that half-point docked because of lower password standards set around FaceTime calls, even though "Users can and should password protect their phone to keep unwanted people from making FaceTime calls." 

FaceTime, however, does have end-to-end encryption -- or at least Apple says it does.