Security experts are up in arms after learning that video conferencing app Zoom will only offer end-to-end encryption to paid users.
On Zoom’s Wednesday first-quarter financial earnings call, Zoom CEO Eric Yuang said that the upcoming end-to-end encryption feature would not apply for free users. Alex Stamos, former CIO at Facebook, who is currently working as an advisor for Zoom, then defended this policy in a recent Twitter thread, explaining that Zoom is juggling a “balancing act.” On the one hand, Zoom wants to offer the extended privacy feature for its users, he said. But on the other hand, the platform still needs to be able to work with federal and local law enforcement to reduce abuse, such as Zoom bombing, he said.
“Zoom is dealing with some serious safety issues,” Stamos said on Wednesday. “When people disrupt meetings (sometimes with hate speech, [child sex-abuse material] CSAM, exposure to children and other illegal behaviors) that can be reported by the host. Zoom is working with law enforcement on the worst repeat offenders.”
The announcement drew backlash from the security community, who said that extra security measures should be available to all – regardless of whether or not they can pay the starting price of $15 per month for Zoom Pro.
“It doesn’t matter how good the crypto is if you can’t turn it on. e2e encryption for ALL users,” said high-profile security researcher Charlie Miller, on Twitter.
remember unless you want to pay for zoom, they’ll be happy to hand over your calls to the feds. it doesn’t matter how good the crypto is if you can’t turn it on. e2e encryption for ALL users. https://t.co/Nh7W40zXoE
— Charlie Miller (@0xcharlie) June 3, 2020
Ben Pick, senior application security consultant at nVisium, told Threatpost that removing or disabling security protections for end users to comply with law enforcement “should never be the solution.”
“For every legitimately malicious actor identified through these methods, there will be exponentially more instances of abuse, detected or otherwise,” he said. “Preventing end-to-end encryption makes users susceptible to a wide range of attacks and significantly exposes their privacy and safety.”
Platform Abuse
The “legitimate safety issues” referenced by Stamos include various malicious behaviors. Zoom has found itself increasingly targeted by “Zoom bombers” who hijack meetings to spread hate speech or spy on sensitive company data. The issue caught the eye of U.S. government officials, who called for the use of Zoom to be suspended after a U.S. House Oversight Committee meeting was disrupted by Zoom bombing in April.
Stamos, for his part, said that the vast majority of platform abuse comes from “self-service users” with fake identities: “These hosts mostly come in from VPNs, using throwaway email addresses, create self-service orgs and host a handful of meetings before creating a new identity,” he said.
If meeting hosts are using end-to-end encryption and want to report a Zoom-bomber, Stamos said, “the likely solution will be a content ring-buffer of the last X seconds on the host’s system that can be submitted to Zoom for triage and action.”
End-To-End Encryption
The topic of encryption is critical for Zoom as it ramps up its security and privacy measures – particularly after various security flaws and privacy issues exposed weaknesses in the online meeting platform, as its user base spiked during the coronavirus pandemic.
“Zoom’s AES 256 GCM encryption is turned on for all Zoom users – free and paid,” a Zoom spokesperson told Threatpost. “Zoom does not proactively monitor meeting content, and we do not share information with law enforcement except in circumstances like child sex abuse. We do not have backdoors where anyone can enter meetings without being visible to others. None of this will change.”
However, it’s important to note the difference between end-to-end encryption and its basic encryption. While encryption means that in-transit messages are encrypted, end-to-end encryption occurs when the message is encrypted at the source user’s device, stays encrypted while its routed through servers, and then is decrypted only at the destination user’s device.
Zoom previously said that it offered end-to-end encryption, but that marketing claim came into question after a report from The Intercept said that Zoom’s platform actually uses transport layer security (TLS) encryption, providing only encryption between individual users and service providers instead of encrypting communication directly between the users of a system.
The platform began to roll out plans for end-to-end encryption in May, starting with the acquisition of a small startup called Keybase in hopes of providing more robust encryption for Zoom calls; the company said at the time that the feature would be opt-in on paid subscriptions, but didn’t elaborate. Zoom has also released a design for its end-to-end encryption plans on GitHub.
Researcher Bruce Schneier said in a Thursday post that the design document doesn’t explain why end-to-end encryption is only available to paying customers.
“This decision will only affect protesters and dissidents and human rights workers and journalists,” said Schneier. “Of course you should offer premium features to paying customers, but please don’t include security and privacy in those premium features. They should be available to everyone.”
Zoom did not say when its end-to-end encryption feature would roll out. Threatpost has reached out for further comment.