In a major security U-turn, videoconferencing platform Zoom has said it will, after all, offer end-to-end encryption to all users — including those who do not pay to use its service.
The caveat is that free users must provide certain “additional” pieces of information for verification purposes (such as a phone number where they can respond to a verification link) before being allowed to use e2e encryption — which Zoom says is a necessary check so it can “prevent and fight abuse” on its platform. However it’s a major step up from the prior offer of ‘no e2e unless you pay us‘.
“We are grateful to those who have provided their input on our E2EE design, both technical and philosophical,” Zoom writes in a blog update today. “We encourage everyone to continue to share their views throughout this complex, ongoing process.”
The company faced a storm of criticism earlier this month after Bloomberg reported comments by CEO Eric Yuan, who said it did not intend to provide e2e encryption for non-paying users because it wanted to be able to work with law enforcement.
Security and privacy experts waded it to blast the stance. One notable critic of the position was cryptography expert, Matthew Green — whose name you’ll find listed on Zoom’s e2e encryption design white paper.
“Once the precedent is set that E2E encryption is too ‘dangerous’ to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it’s going to be hard to put it back,” Green warned in a nuanced Twitter thread.
Obviously I don’t think you should have to pay for E2E encryption.
— Matthew Green (@matthew_d_green) June 3, 2020
Since the e2e encryption storm, Zoom has faced another scandal — this time related to privacy and censorship, after it admitted shutting down a number of Chinese activists accounts at the request of the Chinese government. So the company may have stumbled upon another good reason for reversing its stance — given it’s a lot more difficult to censor content you can’t see.
Explaining the shift in its blog post, Zoom says only that it follows a period of engagement “with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others”.
“We have also explored new technologies to enable us to offer E2EE to all tiers of users,” it adds.
Its blog briefly discusses how non-paying users will be able to gain access to e2e encryption, with Zoom writing: “Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message.”
“Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse,” it adds.
Certain countries require an ID check to purchase a SIM card so Zoom’s verification provision may make it impossible for some users to access e2e encryption without leaving an identity trail which state agencies could unpick.
Per Zoom’s blog post, a beta of the e2e encryption implementation will kick off in July. The platform’s default encryption remains AES 256 GCM in the meanwhile.
The forthcoming e2e encryption will not be switched on by default — but rather offered as an option. Zoom says this is because it limits some meeting functionality (“such as the ability to include traditional PSTN phone lines or SIP/H.323 hardware conference room systems”).
“Hosts will toggle E2EE on or off on a per-meeting basis,” it further notes, adding that account administrators will also have the ability to enable and disable E2EE at the account and group level.
Today the company also released a v2 update of its e2e encryption design — posting the spec to Github.