Zoom backtracks on end-to-end encryption
Image credit: Dreamstime
Zoom has u-turned on its controversial decision to only provide the option of end-to-end encryption (e2ee) for its paid users.
The young video-conferencing company exploded in popularity as the coronavirus pandemic took hold earlier this year, forcing people around the world to work and socialise remotely. It has gone from 10 million users in December to hundreds of millions of users today.
As Zoom has become a household name, its privacy and security errors have been brought to attention; these include data sharing with Facebook, accusations that it had overstated its security measures, leaking of personal information to other Zoom users with the same email provider, and a vulnerability which could force Mac users to join Zoom meetings with their cameras automatically activated. These concerns led to a number of government agencies and companies banning the service.
In May, Zoom attracted criticism for its launch of e2ee, which was limited to Zoom users who pay $14.99 per host per month for its premium service. Non-paying users are still relying on less-secure transport layer encryption, which is initiated and terminated with service providers rather than with end users.
Digital rights groups such as the Mozilla Foundation and Fight for the Future called on Zoom to make e2ee available to all users, arguing that privacy and security should not be considered a luxury.
Earlier this month Zoom founder and CEO Eric Yuan said that the company would not offer e2ee to all users in case the company is asked to comply with subpoenas from law-enforcement agencies such as the FBI. His comments were criticised as tone deaf, coming amid widespread protests against police brutality and anti-black racism.
Now, Yuan has announced in a blog post that, following consultation with various groups, the company has decided to give all users the option to use e2ee. Yuan said that the company has “engaged with civil liberties organisations, our CISO council, child-safety advocates, encryption experts, government representatives, our own users, and others to gather their feedback on this feature”.
“We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform,” he wrote. “This will enable us to offer e2ee as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform.”
The company has released an updated e3ee design on its GitHub. The new feature will move into beta testing in July.
In order to access e2ee, users will be asked to complete a one-off verification process such as by verifying a phone number via SMS. Meeting hosts will have the ability to turn on and off e2ee at the account and group level. It will remain an option as it limits some features (such as inclusion of PSTN phone lines).
The digital rights group, the Electronic Freedom Foundation, welcomed the U-turn: “Zoom has done the right thing, changed course, and taken a big step forward for privacy and security. We applaud Zoom’s decision to make privacy and security enhancements available to all of their hundreds of millions of users.”
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.