Zoom initially said that it would not offer end-to-end encryption (E2EE) to free users, though it did announce it would incorporate AES 256 GCM transport encryption for all users. Since then, Zoom has started building out its E2EE solution and now says that it has “identified a path forward” that will accomplish that goal. Zoom’s E2EE should be released in an early beta in July.
The company claims that it has taken feedback from civil liberties organizations, security experts and the government to form its new course of action. Zoom will require free users to undergo a one-time verification process to enable encryption. “All Zoom users will continue to use AES 256 GCM transport encryption as the default,” says the company, because E2EE does cause issues with some hardware, such as PSTN or SIP conference phones. As such, users will be able to turn E2EE off as needed.
The hassle of verification seems like a small price to pay for secure conversations. With Zoom’s newfound ubiquity, it can be difficult to convince others to use different conferencing apps. That said, this entire journey has been a bit of a headache. At least all users can now use end-to-end encryption -- something that arguably should have been part of Zoom’s software in the first place.
Update, 6/19/20 11:15AM ET: This story originally conflated Zoom’s AES 256 GCM encryption with the end-to-end encryption; we’ve since clarified that Zoom currently offers AES 256 GCM to all users and should start beta testing E2EE in July. We apologize for the confusion.