Zoom today said it will make end-to-end (E2E) encryption available to all of its users, regardless of whether they pay for it or not.
The videoconferencing overnight-sensation has walked back its initial plan to limit E2E cryptography to schools and paid-for accounts, after facing a storm of criticism for the restriction. It will, from next month, offer strong E2E encryption (E2EE) as a beta to any free account holder willing to hand over their contact number, as well as offering it to enterprise customers. We note that Google Meet and other rival services do not offer E2EE.
“Today, Zoom released an updated E2EE design on GitHub,” Zoom CEO Eric Yuan said. “We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform.
“This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform.”
It should be noted that Zoom already encrypts call in transit with AES-256-GCM cryptography, but that isn’t truly end-to-end: E2EE ensures only the meeting participants, and no one else, can encrypt and decrypt the video, voice, and other data flowing between them during a confab. Zoom points out that that this encryption won’t work on PTSN phone lines. This also excludes SIP/H.323 commercial conferencing gear.
Earlier this year, Yuan argued that Zoom couldn’t protect free calls with E2EE because to do so would thwart important law enforcement operations.
“Free users, for sure, we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan told analysts back in April.
In May, Zoom asked for help from digital rights groups who, apparently, told them to stop messing about and give people encrypted calls, law enforcement concerns be damned.
“Since releasing the draft design of Zoom’s end-to-end encryption (E2EE) on May 22, we have engaged with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others to gather their feedback on this feature,” Yuan said today.
To satisfy the legal issues and requirements, Zoom is asking users to verify their phone numbers by entering a single-use code delivered via text message. “Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts,” Yuan said. “We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”
Needless to say, Zoom has taken no shortage of heat for its handling of security issues since the coronavirus lockdown made the service a household name and brought the upstart under scrutiny.
In response, Zoom moved to bring in the likes of ex-Yahoo! and Facebook CSO Alex Stamos and Luta Security and its founder Katie Mousourris to get its protections up to snuff.