Zoom changes course on end-to-end encryption and offers it free to everyone

Originally planned for premium accounts only, Zoom will now offer optional E2EE to all account holders.

screen-shot-2020-03-30-at-4-38-50-pm.png

Image: CNET

Zoom CEO Eric Yuan announced in a blog post Wednesday that Zoom is extending its end-to-end encryption (E2EE) offering to all Zoom account holders.

Zoom released the first draft of its E2EE plan in late May as part of a response to criticism of its security flaws, which became public as Zoom signups skyrocketed during the COVID-19 pandemic. The initial plan for end-to-end encryption on Zoom was reserved to paid customers only, a choice that Zoom explained as allowing it to cooperate with law enforcement investigations into fraudulent free accounts.

Zoom calls that don't use E2EE are secured with AES 256 encryption, which is generally considered one of the safest available. Before the dustup over its security problems Zoom was using AES 128, which TechRepublic sister site described as "subpar" for encrypting video calls.

Pressure on Zoom hasn't let up, either: More than half a million accounts have been found for sale on the Dark Web, a third of Zoom users have concerns over privacy issues, and Zoom faced criticism for recently blocking the accounts of Chinese Zoom users holding memorial vigils for the Tiananmen Square massacre despite the fact that the users were located outside of China (the accounts have since been unblocked).

SEE: Security Awareness and Training policy (TechRepublic Premium)

End-to-end encryption secures internet traffic between two endpoints in such a way that (ideally) it can't be decrypted by a third party. The keys used to decrypt E2EE traffic are only known to the two parties involved in the communication, and many popular chat and video conference platforms already have it in place.

E2EE in Zoom won't be enabled by default—users will need to toggle it on as an option, and free users will have to submit to a one-time identity verification process that Yuan said is designed to "reduce mass creation of abusive accounts."

The only specific method mentioned in Yuan's blog post is verifying a phone number via text message, but the post also states more generally that "additional pieces of information" will be needed for verification.  

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

Zoom call hosts will need to toggle E2EE on or off on a per-call basis, as E2EE limits some meeting functionality, like including PSTN phone lines or SIP/H.323 conference room hardware. Zoom account administrators will also have the ability to enable or disable E2EE at both organizational and individual user levels.

The new E2EE model proposed by Zoom, available to review on GitHub, "balances the legitimate right of all users to privacy and the safety of users on our platform," Yuan said. 

Zoom will begin a beta of E2EE for all accounts in July 2020, though a specific date wasn't given, nor were details of how to sign up for the beta.

This article was updated with corrections on June 18.
 

Also see