Zoom has confirmed it won’t be offering end-to-end encryption on free accounts. Last week, the company’s security consultant Alex Stamos revealed that plans for tightened security on paying accounts were in the pipeline — today Zoom CEO Eric Yuan has confirmed it. Predictably, the move has stirred a lot of controversy, namely because Yuan has given the impression that in doing so, Zoom wants to keep authorities sweet.
In the company’s latest financial results announcement, Yuan said, “Free users, for sure, we don’t want to give that [end-to-end encryption]. Because we also want to work it together with FBI and local law enforcement, in case some people use Zoom for bad purpose.” Some have subsequently accused Zoom of “kowtowing to the police.”
However, Stamos asserted that Yuan’s statement was not clear (and also gave a tongue-in-cheek nod to his relationship with his former CEO Mark Zuckerberg), and then took to Twitter to explain in more detail why Zoom has made this decision. According to Stamos, Zoom faces a “difficult balancing act” trying to improve privacy guarantees while “reducing the human impact of the abuse of its product.” Here, he’s referring to hate speech, exposure to children and other illegal behaviors which have blighted Zoom in recent times. Those involved in this type of activity will mostly use a free account with throwaway email addresses – a lower level of encryption will allow Zoom, with the assistance of law enforcement, to take action on repeat offenders.
Some facts on Zoom's current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.— Alex Stamos (@alexstamos) June 3, 2020
The E2E design is available here:https://t.co/beLdeAwMSM
Concluding, Stamos notes, “Will this eliminate all abuse? No, but since the vast majority of harm comes from self-service users with fake identities this will create friction and reduce harm.” He also reiterated that Zoom does not proactively monitor content in meetings and “will not in the future.” Nor does it, or will it, record meetings silently.
The company has faced a raft of challenges in recent times, largely catalyzed by its increased uptake due to the coronavirus crisis. And now, as the platform is increasingly being used by nefarious individuals for illegal activities, Zoom — like all other tech companies — must strike a balance between security for its trusted users, and mechanisms for weeding out the bad actors. Zoom hasn’t yet given a release date for the new encryption feature.
Update: 06/04/2020 4:45am ET: A Zoom spokesperson has confirmed that free users will be covered by Zoom’s AES 256 GCM encryption, but chats will not be covered by additional end-to-end protections:
“Zoom’s AES 256 GCM encryption is turned on for all Zoom users - free and paid. Zoom does not proactively monitor meeting content, and we do not share information with law enforcement except in circumstances like child sex abuse. We do not have backdoors where participants can enter meetings without being visible to others. None of this will change.
Zoom’s end-to-end encryption plan balances the privacy of its users with the safety of vulnerable groups, including children and potential victims of hate crimes. We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.
The current decision by Zoom's management is to offer end-to-end encryption to business and enterprise tiers. We are determining the best path forward for providing end-to-end encryption to our Pro users.
Zoom has engaged with child safety advocates, civil liberties organizations, encryption experts, and law enforcement to incorporate their feedback into our plan. Finding the perfect balance is challenging. We always strive to do the right thing.”