Zoom to Launch End-to-End Encryption - Next Week
Starting next week, Zoom will initiate the distribution of end-to-end encryption capabilities to users of its video conferencing service, the company announced today.
The platform, which has experienced significant growth due to the increased demand for remote work and social interaction during the current year, has been focused on improving its standing regarding security and privacy since April – following concerns raised about inaccurate statements concerning the availability of end-to-end encryption (E2E) – despite previously claiming it was in place. Now, E2E is finally becoming a reality.
“We are pleased to share that, beginning next week, Zoom’s end-to-end encryption (E2EE) feature will be released as a technical preview, meaning we are actively seeking user feedback during the initial 30-day period,” the company stated in a blog post. “Zoom users, both those with free and paid accounts, globally, will be able to host meetings with up to 200 attendees utilizing E2EE, thereby enhancing the privacy and security of their Zoom interactions.”
In May, Zoom completed the acquisition of Keybase, with the stated intention of creating “the most widely adopted end-to-end encryption solution for enterprise use.”
Initially, the company’s CEO, Eric Yuan, indicated that this enhanced level of encryption would be exclusive to paying subscribers. However, after considerable public criticism, the company quickly reversed this decision – announcing in June that all users would have access to the highest security standards, irrespective of their subscription status.
Zoom has confirmed that users with Free or Basic accounts who wish to access E2EE will be required to complete a one-time verification procedure – involving the provision of supplementary information, such as confirming a phone number through text message – to help minimize “the large-scale creation of abusive accounts.”
“We are confident that implementing risk-based authentication, alongside our existing suite of tools – including our collaborations with organizations focused on human rights and child safety, and the ability for users to secure meetings, report abuse, and utilize a range of security features – will allow us to further strengthen the safety of our users,” the company explained.
The launch of the technical preview next week represents the first phase of a four-part plan to integrate E2E encryption into the platform.
This initial phase includes certain limitations – affecting both the features available during E2EE Zoom meetings (access to features like ‘Join before host,’ cloud recording, live streaming, live transcription, Breakout Rooms, polling, one-on-one private chat, and meeting reactions will be unavailable); and the devices that can be used to participate in meetings (all participants in phase 1 E2EE meetings must join via the Zoom desktop client, mobile app, or Zoom Rooms).
The subsequent phase of the E2EE rollout – which will incorporate “improved identity management and E2EE SSO integration,” according to Zoom’s blog – is “provisionally” scheduled for 2021.
Starting next week, users interested in testing the technical preview will need to activate E2EE meetings at the account level and then choose to enable E2EE for each meeting individually.
All individuals joining a meeting must have the E2EE setting activated to participate in an E2EE meeting. Meeting hosts can enable the setting for E2EE at the account, group, or user level, and can lock these settings at the account or group level, Zoom details in its frequently asked questions.
The AES 256-bit GCM encryption currently employed by Zoom will continue to be used, but will now be combined with public key cryptography – meaning the encryption keys are generated locally by the meeting host before being shared with participants, rather than being generated by Zoom’s cloud infrastructure.
“Zoom’s servers function as unaware relays and do not have access to the encryption keys needed to decrypt the meeting content,” the company clarifies regarding the E2EE implementation.
To confirm you have joined an E2EE Zoom meeting, a dark padlock icon will appear alongside the green shield icon in the upper left corner of the meeting window. (Zoom’s standard GCM encryption displays a checkmark in this location.)
Meeting attendees will also be able to view the meeting leader’s security code – which can be used to verify the connection’s security. “The host can announce this code verbally, and all participants can confirm that their screens display the same code,” Zoom notes.