Under pressure from privacy and human rights advocates, Zoom said on Wednesday that it would make end-to-end encryption available to both paid and unpaid users of its video conferencing service.
Previously, Zoom said it would provide end-to-end encryption to paying customers and a weaker encryption method, known as pass-through encryption, to non-paying customers. Zoom said the two-tier grant will allow law enforcement to process illegal content coming from users who don’t have accounts and are, therefore, difficult to track. Paid users, in contrast, have more tracking and, therefore, are less likely to use the platform for illegal purposes.
Critics in privacy and human rights circles say Zoom’s plans threaten make privacy a premium feature rather than something that comes by default. The critics called on Zoom to provide the same protections for all users.
On Wednesday, Zoom announced a new plan to extend end-to-end encryption, or E2EE, to non-paying users.
“To make this possible, Free / Basic Users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via text message,” Zoom CEO Eric Yuan wrote in a post. “Many leading companies take similar steps on account creation to reduce the number of abusive accounts. We are confident that by implementing risk-based authentication, in conjunction with our current collection of tools—including a User Activity Report—we can continue to prevent and fight abuse. “
The registration process is similar to those required by end-to-end messaging services and WhatsApp. Users of each service must verify that they have valid phone number control. When combined with Zoom measures designed to detect illegal behavior, Yuan said the registry will allow his company to offer E2EE to all users and at the same time enforce security on the platform. soak.
“This is great news,” Jon Callas, a cryptography expert and senior technology fellow at the American Civil Liberties Union, said in response to the announcement. “A strong foundation everywhere helps everyone. Burning continues to show us that they are serious about security and privacy. “
E2EE is very different from data encryption in transit. Instead, it provides each user with keys that are carried only on their devices, where communications are encrypted and later decrypted (encrypted data is often encrypted a second time as it travels over the wire wire). With the service provider not having access to the keys that encrypt the data, it is impossible for law enforcement or malicious actors to access human-readable content.
Security and privacy advocates say this type of protection is important as more and more sensitive information is being circulated on the Internet. Groups like the Electronic Frontier Foundation argue that E2EE should be available to all users, whether they pay or not. Currently, Zoom forums only accept encryption in transit with 256-bit AES keys shared in Galois/Counter Status on Zoom servers. Yuan said Zoom E2EE will go into beta next month.
Yuan said that once E2EE is implemented, it will be an option that can be turned on because it limits some network functions, such as the ability to connect through traditional phone lines or SIP/H.323 equipment. Hosts will be able to turn E2EE on or off on a per-session basis. The CEO also said that account managers will be able to enable and disable E2EE at the account and team level. The updated design from Sun E2EE is Here.