End-to-end encryption will be offered to all Zoom users
Zoom Video Communications has decided to extend the benefits of end-to-end encryption (E2EE) not only to paying Zoom customers, but to those who create free accounts, as well.
The decision was reached after much public outcry by privacy-minded users and privacy advocates. As famed cryptographer and privacy specialist Bruce Schneier noted, “we are learning – in so many areas – the power of continued public pressure to change corporate behavior.”
Zoom does an about-face on E2EE
Zoom CEO Eric Yuan announced their decision to bring E2EE to paid users only in early June. He explained that they want to be able to help law enforcement in investigations and that people who use Zoom to disrupt online meetings and to engage in criminal acts and facilitate horrible abuse generally use free (quasi-anonymous) accounts.
In the meantime, though, they’ve found a solution that will allow them to offer E2EE as an advanced add-on feature for all users while maintaining the ability to prevent and fight abuse.
“To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message,” Yuan explained this Wednesday.
“Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”
E2EE for everyone
The decision was welcomed by the Electronic Frontier Foundation, though they pointed out that phone numbers were never designed to be persistent all-purpose individual identifiers, and using them as such creates new risks for users.
“In different contexts, Signal, Facebook, and Twitter have all encountered disclosure and abuse problems with user phone numbers. At the very least, the phone numbers that users give Zoom should be used only for authentication, and only by Zoom. Zoom should not use these phone numbers for any other purpose, and should never require users to reveal them to other parties,” they noted.
An early beta of the E2EE feature is scheduled to be introduced by Zoom in July 2020. The feature will be optional because it limits some meeting functionality, and account administrators will be able to switch it on or off at the account and group level.
“Companies have a prerogative to charge more money for an advanced product, but best-practice privacy and security features should not be restricted to users who can afford to pay a premium,” they added.
The EFF has called on other companies that provide communication tools to provide E2EE encryption to both users who pay for their services and those who don’t.