Under pressure from privacy and human rights advocates, Zoom said on Wednesday that it will make end-to-end encryption available to both paying and non-paying users of its video conferencing service.
Previously, Zoom said it would provide end-to-end encryption to paying customers and a less-robust form of encryption, known as transit encryption, to non-paying customers. Zoom said the two-tier offering would allow law enforcement to regulate illicit content coming from users who don’t have accounts and, hence, are harder to track. Paying users, by contrast, had more traceability and, hence, were less likely to use the platform for illegal purposes.
Critics in privacy and human rights circles said the Zoom plans threatened to make privacy a premium feature rather than something that’s available by default. The critics called on Zoom to provide the same protections for all users.
On Wednesday, Zoom announced a new plan to extend end-to-end encryption, or E2EE, to non-paying users.
“To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message,” Zoom CEO Eric Yuan wrote in a post. “Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools—including our Report a User function—we can continue to prevent and fight abuse.”
“Great news”
The registration process is similar to those required by end-to-end messaging services Signal and WhatsApp. Users of each service must prove they have control of a valid phone number. When combined with Zoom measures designed to detect illicit behavior, Yuan said the registration will allow his company to offer E2EE to all users and at the same time enforce safety on its platform.
“This is great news,” Jon Callas, a cryptography expert and senior technology fellow at the American Civil Liberties Union, said in response to the announcement. “Strong encryption everywhere helps everyone. Zoom continues to show us that they’re serious about security and privacy.”
E2EE is vastly different from simply encrypting data in transit. Instead, it provides each user with keys that reside solely on their devices, where communications are encrypted and later decrypted (the encrypted data is usually encrypted a second time as it travels over the wire). With the service provider having no access to the keys that decrypt the data, it’s impossible for law enforcement or malicious insiders to access the human-readable content.
Security and privacy advocates say that this kind of protection is crucial as more and more sensitive information is transmitted over the Internet. Groups such as the Electronic Frontier Foundation argue that E2EE should be made available to all users, whether they pay or not. Currently, Zoom conferences receive only transport encryption with 256-bit AES keys distributed in Galois/Counter Mode over Zoom servers. Yuan said Zoom E2EE will go into beta next month.
Yuan said that once E2EE is implemented, it will be an option that can be turned on because it limits some meeting functionality, such as the ability to connect by traditional phone lines or SIP/H.323 hardware. Hosts will be able to turn E2EE on or off on a per-meeting basis. The CEO also said that account administrators will be able to enable and disable E2EE at the account and group level. An updated design from Zoom E2EE is here.