Nothing Stays Confidential
I was on a Teams call with a financial planner recently. This wasn’t a small operation — it was a well-known, reputable firm with a national presence. The kind of company you’d expect to have their act together.
Within the first few minutes, he had rattled off my Social Security number, account balances, date of birth, and a handful of other details I’d classify, without much hesitation, as sensitive personal information.
I said it made me uncomfortable.
“This is just how we do it,” he said.
I smiled politely. On the inside, my liver was sweating.
I want to be clear: he wasn’t careless. He wasn’t reckless. He was doing exactly what his firm had trained him to do — conducting a client meeting over a standard enterprise video platform in what he believed was a secure, professional environment.
But here’s why the hair on the back of my neck stood up.
He was wrong. Not maliciously. Not negligently, necessarily. Just wrong. And that distinction matters, because if a financial professional at a reputable national firm doesn’t understand the security limitations of the platform he uses every day, the problem isn’t him. The problem is systemic.
Let me show you what I mean.
It Was Never as Secure as You Thought
When people say a platform is “encrypted,” they almost always mean transport encryption — data is scrambled while it travels between your device and the platform’s servers. Think of it like a sealed envelope moving through the postal system. The contents are protected in transit. But the post office can still open it.
End-to-end encryption (E2EE) is different. With true E2EE, only the participants hold the keys. The platform itself cannot decrypt the content of your call. Think of it as a conversation in a language only you and the other person speak.
The major platforms — Zoom, Microsoft Teams, Google Meet — all offer E2EE now. But “offer” is doing a lot of work in that sentence. It is almost universally not the default. Teams E2EE only covers one-on-one calls — not group meetings. On Zoom, enabling E2EE turns off cloud recording and phone dial-in. Most organizations haven’t enabled it at all.
In practice, the vast majority of business video meetings happening right now — including, almost certainly, my financial planner’s — are using transport encryption. Which means the platform vendor can access the content.
Which brings us to the part that should make you uncomfortable.
The Part That Should Make You Uncomfortable
In December 2020, the United States Department of Justice filed federal charges against a Zoom executive based in China.
His official role was Zoom’s liaison to law enforcement and intelligence agencies in China. What he was actually doing — according to federal prosecutors — was monitoring calls for mentions of Tiananmen Square and other politically sensitive topics, terminating the accounts of dissidents and activists, and passing the personal data of US-based users directly to China’s Ministry of State Security.
This was not a hack. No one broke in from the outside. This was a platform employee, with legitimate access, using that access to conduct espionage. A federal arrest warrant was issued. He is still in China.
So. Completely normal Tuesday in the video conferencing industry.
That happened on a platform millions of people were using every day — students, healthcare workers, lawyers, and financial professionals — under the assumption that their calls were private.
And it wasn’t the only problem that year.
As schools scrambled to move to remote learning in 2020, the FBI’s Boston field office issued a formal public warning after hundreds of incidents of virtual classrooms being hijacked. Children were exposed to pornographic and hateful content. A teacher’s home address was shouted live during a lesson. Strangers appeared on camera in front of students. The FBI called it “Zoom-bombing.” It was widespread enough to prompt congressional attention and multiple arrests.
The common thread in both stories isn’t that Zoom was uniquely evil. It’s that millions of people adopted these platforms almost overnight, trusted them implicitly, and never asked the questions they should have.
That unexamined trust is still the default assumption today.
The Platform Isn’t a Locked Room
Transport encryption makes your meeting a conference room with good soundproofing. Nobody passing in the hallway can hear you. But the building management has a master key — and in at least one documented federal case, that key was being handed to foreign intelligence.
End-to-end encryption makes your meeting a conversation in a language only the participants speak. The building can’t help anyone even if they wanted to.
Most meetings are happening in the first room.
Now add the AI layer.
Every major platform now offers AI features — Zoom AI Companion, Microsoft Copilot in Teams, Google Duet. These tools transcribe meetings, generate summaries, identify action items. Most are not on by default. But someone in your organization has probably clicked Enable.
Then there are third-party tools — Tactiq, Otter.ai, Fireflies — that employees add on their own, often without IT’s knowledge. These tools join meetings as a participant, or capture audio at the browser level, and receive the fully decrypted audio stream. They are effectively a new endpoint, with their own privacy policies, data retention schedules, and potentially model training pipelines.
Your “encrypted meeting” may have a third party in the room that nobody introduced — taking notes, storing them on servers you’ve never reviewed, and probably generating a summary more accurate than anything you wrote down yourself.
If my financial planner was sharing my Social Security number with transport encryption only, an AI transcription service running in the background, and a third-party note-taker his colleague added last quarter — that data has touched more systems than either of us knew.
What You Should Actually Do
The trusted friend version, not the compliance framework version.
Before any meeting where sensitive information will be discussed — client PII, financial data, medical information, legal matters — ask explicitly: what platform are we on, what AI features are active, and is anyone recording or transcribing this call? These aren’t paranoid questions. They’re the right questions, and any professional handling sensitive data should be prepared to answer them.
Check whether E2EE is enabled on your enterprise accounts. On most platforms, IT admins can turn it on organization-wide. It may disable some features. Make that decision deliberately, not by default.
Audit your third-party tools. Which AI meeting assistants are your employees using? Are they approved? If your organization operates in healthcare, finance, or legal, you may already have compliance obligations that these tools are quietly violating.
Educate your people. My financial planner wasn’t malicious — he was trained in a culture that had normalized a behavior without ever examining whether it was safe. That culture lives in most organizations. The fix isn’t a policy document. It’s a conversation, ideally before someone’s data ends up somewhere it shouldn’t.
The Bigger Point
The platforms have improved. E2EE exists. Security features have matured since 2020. But the gap between what’s available and what’s actually configured — and between what’s configured and what your employees are quietly adding on their own — is where the risk lives.
My financial planner thought he was in a locked room. He was in a conference room with a window, some note-takers nobody introduced, and a building manager who, in at least one documented case, had been handing keys to foreign intelligence.
“This is just how we do it” is how most security incidents start.
Ask better questions. Know what’s in the room.
The financial planner is probably still doing it the same way. Hi Dave.
Quick Checklist: What To Do Right Now
- Before any meeting involving sensitive information, ask: what platform are we on, what AI features are active, and is anyone recording or transcribing this call?
- Check whether E2EE is enabled on your enterprise video accounts — if not, ask IT to turn it on organization-wide
- Find out which third-party AI meeting tools your employees are using, whether they’re approved, and what their data retention policies say
- If your organization operates in healthcare, finance, or legal, verify those tools don’t violate your existing compliance obligations
- Have the conversation with your team before something goes wrong — not after
