Zoom to enable end-to-end encryption for free users too, but with a catch

Zoom seems to be make positive progress in regards to its security and PR issues during its self-imposed 90-feature freeze, but with just one move, they have killed their positive public image and now seem to be making an attempt to remedy it.

Today Zoom made an announcement via blog post titled “End-to-End Encryption Update” that stated “We have engaged with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others to gather their feedback on this feature. We have also explored new technologies to enable us to offer E2EE to all tiers of users.”

Eric S Yuan, Zoom CEO went on to promote their encryption compromise “Today, Zoom released an updated E2EE design on GitHub. We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform. This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform.”

Related Reading: Zoom

He then went in more detail “To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”

Additional Information

• We plan to begin early beta of the E2EE feature in July 2020. 
• All Zoom users will continue to use AES 256 GCM transport encryption as the default encryption, one of the strongest encryption standards in use today.
• E2EE will be an optional feature as it limits some meeting functionality, such as the ability to include traditional PSTN phone lines or SIP/H.323 hardware conference room systems. Hosts will toggle E2EE on or off on a per-meeting basis. 
• Account administrators can enable and disable E2EE at the account and group level. 

Our thoughts

On one hand it is great to hear that Zoom is delivering end-to-end encryption to all of its users now and not just its paid users. We fail to be convinced of the reason why free users much submit to additional verification; shouldn’t all users be treated the same?

In the “Additional Information” Yuan says “host will toggle E2EE on or off on a per-meeting basis.” Does that mean calls will be E2EE by default or users have to opt-in to exercise their right to privacy. For an American company they seem to not share the same core American values that many of us share (bill of rights), but that also seems to be a trend of the Silicon Valley breed.

Fear not, there are alternatives, apps like Signal, Brave’s new Brave Together video chat service and others will continue to offer privacy by default.

Related Reading: Zoom 5.0 is rolling out and is addressing some complaints

The other major issue here is that while Zoom says it does not snoop on Zoom meetings, it technically has the capability. Zoom’s credibility is shot to hell at this point, they have been called out on so many lies, do they really think that the market has such a short memory?

Zoom News Recap:

Zoom recently disabled Giphy integration which, follows Facebook acquiring Giphy for $300 million. Zoom is doing this in the name of security especially after a Facebook Login feature was sending data to Facebook even if users did not sign in with Facebook. Zoom has taken the public backlashed it received about its security lapses and instituted a 90-Day feature freeze while it works on tightening security.