Zoom Changes Course, Will Enable End-to-End Encryption for All

Six months ago, many people had never heard of Zoom. Although the video conferencing service has been around for a long time among business users, it wasn’t until the global pandemic isolated everybody in their homes that Zoom became a household word.

As everyday people began to look for ways to stay in touch with friends, relatives, coworkers, classmates, and teachers, Zoom showed many of its strengths over services like FaceTime, but it also began to show its weaknesses, as a collection of security and privacy issues came to light. Some of these were simply a matter of features that weren’t often needed by businesses being disabled by default, such as password-protected meetings and “waiting rooms,” while others were much more serious flaws that had simply flown under the radar, ranging from the way the Zoom client was installed on Macs and PCs to the lack of strong encryption.

In the face of these revelations, Zoom’s CEO stepped up with promises to fix most of these issues back in April, and by and large Zoom has done a pretty good job of addressing some of the most egregious security concerns. New defaults now enforce passwords for new meetings, helping to prevent “Zoombombing,” and the shady macOS installer was rewritten to stop acting like malware under the guise of making it easier for users to install.

Encryption

One area in which Zoom has been a bit more opaque, however, is in its approach to encryption. Originally, Zoom disingenuously claimed that it was using end-to-end encryption, but as researchers quickly discovered, that term didn’t mean what Zoom seemed to think it meant, and Zoom was forced to come clean and admit that it wasn’t truly “end-to-end” encryption, but merely encrypted connections between the Zoom client and the Zoom servers. This is a level of security that doesn’t make Zoom particularly special, since just about every other service on the planet offers it too, but more importantly it’s also one that doesn’t prevent Zoom from being able to eavesdrop on conversations.

Of course, true end-to-end encryption can be complicated to implement for a number of different reasons, and it’s not just about the technology itself, but also supporting features where unencrypted communications are effectively necessary. For instance, Zoom allows participants to dial in to a Zoom conference using a normal telephone line, however an end-to-end encrypted call would preclude this as Zoom would have no way of delivering the audio to the participant.

Still, Zoom promised that it would begin the implementation of end-to-end encryption as soon as possible, but with an important caveat: Only paying Zoom users would have access to the more secure encryption features.

Zoom had a certain logic for this decision, and it wasn’t solely about encouraging users to pay up. Instead, it was the fact that Zoom was concerned that allowing end-to-end encryption for free users, who are inherently anonymous and can be untraceable to begin with, would open the door to all sorts of bad actors without giving Zoom the ability to cooperate with law enforcement when and if these kinds of problems occurred.

Of course, privacy advocates pilloried Zoom for this stance, suggesting that Zoom was making “basic security” a luxury feature only available to “wealthy individuals and big corporations” (notwithstanding that a Zoom Pro subscription starts at only $15/month to host meetings of up to 100 people, there’s still a valid principle involved here).

As usual, the truth of the situation was somewhere in the middle, and with even a few cases of some pretty serious and disturbing “Zoombombings” involving young schoolchildren, it’s understandable why Zoom’s executives may have been nervous about allowing random anonymous accounts to use end-to-end encryption.

However, Zoom’s approach was actually very likely untenable on the face of it. Zoom has long worked on the basis that only the “host” of a meeting needs to have a paid account, each of which then allows up to 99 other participants to join their meeting without even needing to have a Zoom account at all, much less be paying for one. So technically speaking, Zoom’s current approach wouldn’t preclude bad actors from participating in end-to-end encrypted meetings with completely anonymity unless additional restrictions were added, since end-to-end encryption is an “all-or-nothing” approach — either the entire meeting encrypted for all participants or its not encrypted for any of them.

Encryption For All

Since Zoom was extremely unlikely to change its business model to require every meeting participant to be a paying user, it probably became apparent that the limitation it had originally proposed was mostly pointless anyway, and so it’s not all that surprising that the company has reversed course and now announced that it will be offering full end-to-end encryption as an option for all Zoom users, not just those who are paying for accounts.

Zoom provided the news in an update this week, noting that it has been talking to various stakeholders including “civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others” in order to determine how to best implement the feature, and as a result of these discussions it has decided that end-to-end encryption should be offered to all Zoom users around the globe, both free and paid.

That said, Zoom isn’t going to make it a free-for-all; while users won’t need to pay for an account to use end-to-end encryption, they’ll still need to take a few additional steps to identify themselves in order to prevent abuse. It sounds like users may need to register for a Zoom account — albeit a free one — and then go through a “one-time process” that asks for additional information, such as verifying the user’s phone number via a text message.

It’s unclear whether this procedure will only be necessary for the account of the person hosting a Zoom meeting, or whether Zoom intends to require validation for all participants. If the latter is the case, this may complicate things a bit further for “guest” participants in a meeting — those without a Zoom account, since they would be either required to sign up for an account, or at least go through a text message verification procedure before they can join.

Of course, the end-to-end encryption feature will be optional. on a per-meeting basis, so if it ends up being too restrictive on participants, meeting hosts can always choose not to use it. In this case they’ll still have the same basic encryption that Zoom offers right now, which will protect conversations from being intercepted by third parties, but not from being intercepted by Zoom itself. There will also be situations where end-to-end encryption cannot be used, such as when allowing users to call in from normal phone lines or using conference room systems.

The end-to-end encryption feature is expected to arrive next month as an “early beta” in the Zoom app.