"While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it."
Because "thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment" and they didnt "design the product" for these "new, mostly consumer use cases", it means that up until now they couldnt have forseen that lying about e2e encryption to sell enterprise subscriptions was an issue.
> enterprises around the world have done exhaustive security reviews
I'm pretty sure they are referring to security reviews for things like SOC2 and PCI. Which aren't exhaustive and generally consist of throwing a scanner on the network and running some sort of WASP top 10 vulnerability tester against the product. I have uncovered major flaws in products I have written that these "extensive reviews" have missed, like user enumeration by changing something in a POST request.
It's very likely that a bunch of companies RFP process is a feature checklist and to get the "encrypted" box checked they needed that lie, or their product was out of the running.
RFP by "who can tailor their marketing to check all the boxes" is a terrible process and leads to this marketing bloat. RFP would be much more useful if it stuck to "list only things you do your competitors doesnt; what processes come with your product that are much more efficient or innovative compared to your competition; like an sec disclosure what are three true non fluff risks to selecting your product; describe your revenue, user growth, and future ownership expectations." If a company cant answer those seriously, push them until they can, or tell them youll move on.
SOC2 and PCI are a lot more than running an automated scan. Sure, that's part of it, but both are full-on frameworks that stretch well beyond technical controls and deeply into organizational questions.
The important thing is that they establish enough trust to create basis for shifting liability.
That's the biggest sticking point for me as well. I don't expect my mother to know what end-to-end means but I have a hard time believing that a technology company made this encryption claim in good faith.
What does that have to do with user count?
https://daringfireball.net/linked/2020/03/31/zoom-e2e