Zoom changes tune to say end-to-end encryption will come to all accounts

18 Jun 2020

Image: © PixieMe/Stock.adobe.com

End-to-end encryption will start rolling out for all Zoom users in July.

Zoom’s position on end-to-end encryption (E2EE) has changed once again. In a new blog post from the video conferencing company, it said it will now bring E2EE to all customers – including free accounts – despite CEO Eric Yuan stating previously that only paid customers would receive this level of encryption.

Yuan drew criticism from privacy advocates after he said in an earnings call earlier this month that the company was building an E2EE meeting mode, but free accounts would not be able to avail of it. This was to allow law enforcement to access user information “in case some people use Zoom for a bad purpose”.

The company said that since its first E2EE announcement, it has worked with civil liberties organisations, governments and encryption experts to find a “path forward that balances the legitimate right of all users to privacy and the safety of users on our platform”.

However, free or basic Zoom users will have to share additional information before accessing E2EE, such as verifying a phone number via a text message, in order to “prevent and fight abuse” on the platform.

A ‘complex, ongoing process’

An early beta of the E2EE feature is set to roll out in July of this year, with all Zoom users to continue working from the AES 256 GCM transport encryption standard in the meantime. Zoom added that E2EE will be an optional feature as it limits some account meeting functionality, such as not allowing traditional phone lines to dial into a meeting.

Furthermore, account administrators will be in a position to enable and disable E2EE at the account and group level.

“We are grateful to those who have provided their input on our E2EE design, both technical and philosophical,” Zoom said. “We encourage everyone to continue to share their views throughout this complex, ongoing process.”

Earlier this year, Zoom claimed in documentation that its service was E2EE, meaning the company could not access user videos and conversations on the platform. However, after reports emerged that Zoom was not actually E2EE, the company said the issue was a matter of defining what end-to-end encrypted actually means.

In April, the platform’s encryption was changed to AES 256-bit GCM. While not E2EE, security researchers described it as a “significant improvement” on what came before.

Colm Gorey was a senior journalist with Silicon Republic