I mean, I agree with you, and I guess the "surely Apple is not blatantly lying about being unable to read the content of your communication" argument has eroded a bit after Zoom's behaviour. But the penalties (both in terms of reputation and in terms of monetary fines) for this kind of misbehaviour are already large, and are likely to increase over time, and it seems an unnecessarily extreme risk for these companies to take.
But yes, impossible-to-verify claims are not worth very much at all.
As for fines, companies already do sophisticated risk analysis so that the average outcome would be far more than the average potential cost. I know oil companies do highly sophisticated risk and reward calculations with violations.
As for 3reputational damage, that’s a long term effect. A few events won’t have a lasting impact. If it turns out that Apple Key Chain is not e2e, or worse iOS exfiltrates key material from apps, that would be major news, but soon people will forget (if they ever cared in the first place) and keep buying iPhones unless the misbehavior is a recurrent problem. A company like Apple will make it extremely difficult to discover such misconduct.
What penalties? The NSA boasted (internally) about how much they were spying on Skype, and I'm not aware of Microsoft having been penalized in any way for lying about it, probably even the opposite?
I don't... did you even read TFA? All the order says is that they can't lie about it again. They don't have to pay anything, they don't have to actually fulfill their prior claims, and the other parts of the agreement they likely already comply with, and if not it'll be quite cheap (relatively) to do so.
Yes, but they endured reputational damage, and companies hypothetically lying about it now could reasonably expect to have to pay something in future enforcements, which is what I was trying to get at in my previous comment. Reading it now, it was really sloppily worded by lumping together those things, but I'll leave it as it was so that the rest of this thread makes sense.
> they don't have to actually fulfill their prior claims
Given that they don't claim it any more, I'm not sure that they could be forced to start doing it -- put another way, not having E2E encryption is not a crime as long as you don't claim to have it.
How much actual reputational damage could they have possibly endured? I haven't noticed any fewer people using Zoom.
It's a consent order. They're willingly agreeing to it in order to avoid other costs (like fines and a lengthy trial). There's no "forced to" involved.
I think this probably varies a lot between social groups; I know of many people (including non-technical) who were motivated to explore alternatives after reading news articles about Zoom's behaviour. A bunch of non-technical friends subsequently started to use meet.jit.si for meeting up, playing board games, etc, for example.
Zoom's revenue is in corporate accounts, just like Slack - my 10k ppl company uses branded enterprise accounts on both systems, we even have VOIP via them with DIDs. Companies of size do not pivot quickly on telecom and messaging system changes, it takes a lot more than a single issue or two for our money to not be in their pockets.
But yes, impossible-to-verify claims are not worth very much at all.