Video-conferencing giant Zoom is rolling out a technical preview of its end-to-end encryption (E2EE) next week.
Zoom has faced various controversies around its encryption policies over the past year, including several lawsuits alleging that the company falsely told users that it offers full encryption. Then, the platform came under fire in May when it announced that it would indeed offer E2EE — but to paid users only. The company later backtracked after backlash from privacy advocates, who argued that security measures should be available to all. Zoom will now offer the feature to free/”Basic” users.
The first phase of the E2EE rollout aims to solicit feedback when it comes to its policies. Users will be able to weigh in during the first 30 days. Of note, users will need to turn on the feature manually (see below for details).
“We’re pleased to roll out Phase 1 of 4 of our E2EE offering, which provides robust protections to help prevent the interception of decryption keys that could be used to monitor meeting content,” said Max Krohn, head of security engineering with Zoom, in a Wednesday post.
End-To-End Encryption Errors
The topic of encryption is critical for Zoom as it ramps up its security and privacy measures – particularly after various security flaws and privacy issues exposed weaknesses in the online meeting platform, as its user base spiked during the coronavirus pandemic.
Zoom previously said that it offered E2EE, but that marketing claim came into question after a March report from The Intercept said that Zoom’s platform actually uses transport layer security (TLS) encryption, providing only encryption between individual users and service providers, instead of directly between the users of a system.
While “encryption” means that in-transit messages are encrypted, true E2EE occurs when the message is encrypted at the source user’s device, stays encrypted while its routed through servers, and then is decrypted only at the destination user’s device.
On the heels of this backlash, Zoom in May acquired a small startup called Keybase, with the aim of providing more robust encryption for Zoom calls.
In the case of next week’s rollout, Zoom’s E2EE offering will use public-key cryptography, meaning that the keys for each Zoom meeting are generated by participants’ machines (as opposed to Zoom’s servers).
“While this is still limited across the features it’s enabled for, it represents a significant step in the right direction with regards to ensuring user security and privacy on the platform,” Jack Mannino, CEO at nVisium, told Threatpost. “Distributing keys to the clients and decentralizing trust gives users increased assurance that their communications are less likely to be intercepted through compromised keys or infrastructure.”
According to Krohn, “Encrypted data relayed through Zoom’s servers is indecipherable by Zoom, since Zoom’s servers do not have the necessary decryption key. This key management strategy is similar to that used by most end-to-end encrypted messaging platforms today.”
Next Week’s Rollout
Zoom hosts can enable E2EE at the account, group or user level in their settings. Zoom said that in phase one of its rollout, all meeting participants must join from the Zoom desktop client, mobile app or Zoom Rooms. In order to see that E2EE is enabled, participants can look for a green shield logo in the upper left corner of their meeting screen with a padlock in the middle.
Enabling the feature may disable certain other features, such as “join before host,” cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat and meeting reactions, said Zoom.
“Zoom’s top priority is the trust and safety of our users, and our implementation of E2EE will allow us to continue to enhance safety on our platform,” said Zoom. “Free/Basic users seeking access to E2EE will participate in a one-time verification process that will prompt the user for additional pieces of information, such as verifying a phone number via text message.”
Zoom said the second phase of the rollout, which will include better identity management and E2EE single sign-on (SSO) integration, is roadmapped for 2021.