As Zoom continues on its path to bring end-to-end encryption (E2EE) to users, the big news is that only paid users will have access to the option.
“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said on a company earnings call on Tuesday.
Zoom encryption and end-to-end encryption
- All users – whether using free or paid accounts – now have the option of using AES 256-bit GCM encryption for their Zoom meetings and webinars. To take advantage of it, they have to upgrade their Zoom client (mobile or desktop app) to v5.0 or any of the later ones
- The company has released a draft design of their end-to-end encryption capability on GitHub and is hosting discussions with cryptographic experts, nonprofits, advocacy groups, customers, and others to solicit feedback for the final design.
- The company plans to add add multi-factor authentication options for free and Pro users in the future (near or far, they didn’t specify).
“Our top priority is to focus on building effective end-to-end encryption for our meeting product first, where it will be most useful. We are considering end-to-end encryption options for Zoom Chat, Zoom Phone, and Zoom Video Webinars down the road,” the company stated.
E2EE just for those who pay for an account
Encrypted communications can be decrypted by the service provider if law enforcement demands it because they have the encryption key. With E2EE, the encryption keys are created and remain on the devices of the people involved in the communication.
Yuan’s explanation of why end-to-end encryption would not be available to free accounts has been fleshed out by Alex Stamos, former Facebook CISO and current adjunct professor at Stanford University’s Center for International Security and Cooperation, who’s now also a security and privacy adviser to Zoom.
Some facts on Zoom's current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.
The E2E design is available here:https://t.co/beLdeAwMSM
— Alex Stamos (@alexstamos) June 3, 2020
In short, Zoom’s decision is motivated by the need to find a way to deal, in conjunction with law enforcement, with people who disrupt meetings (often repeat offenders).
“The other safety issue is related to hosts creating meetings that are meant to facilitate really horrible abuse. These hosts mostly come in from VPNs, using throwaway email addresses, create self-service orgs and host a handful of meetings before creating a new identity,” Stamos explained.
He concedes that not offering E2EE to free tier users will not eliminate all abuse, but that “since the vast majority of harm comes from self-service users with fake identities this will create friction and reduce harm.”
Privacy and digital rights advocates have argued that this decision will also ultimately hurt vulnerable groups such as activists, journalists, nonprofits, domestic violence victims – groups that desperately need E2EE but might not have the resources to splurge for a paid plan.
Zoom’s decision comes at a time when a new piece of legislation (the EARN IT Act) is being pushed through the US Congress that is expected to ultimately force/incentivize tech and internet companies to abandon plans to offer end-to-end encryption to users.