Video-calling app Zoom has been on the end of sharp criticism for security weaknesses. In response, they announced today a plan to offer end-to-end encryption for all users, with a trial to begin next month.
End-to-end encryption update from Zoom – we have found a path forward to provide this feature to all users (free and paid) around the globe >> https://t.co/rjwCLYKDuJ⁰ <<
— Zoom (@zoom_us) June 17, 2020
Here's the company's announcement.
Excerpt:
Since releasing the draft design of Zoom’s end-to-end encryption (E2EE) on May 22, we have engaged with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others to gather their feedback on this feature. We have also explored new technologies to enable us to offer E2EE to all tiers of users.
Today, Zoom released an updated E2EE design on GitHub. We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform. This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform.
To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.
Additional Information• We plan to begin early beta of the E2EE feature in July 2020.
• All Zoom users will continue to use AES 256 GCM transport encryption as the default encryption, one of the strongest encryption standards in use today.
• E2EE will be an optional feature as it limits some meeting functionality, such as the ability to include traditional PSTN phone lines or SIP/H.323 hardware conference room systems. Hosts will toggle E2EE on or off on a per-meeting basis.
• Account administrators can enable and disable E2EE at the account and group level.We are grateful to those who have provided their input on our E2EE design, both technical and philosophical. We encourage everyone to continue to share their views throughout this complex, ongoing process.
From Reuters:
After a series of security failures resulted in some institutions banning the use of Zoom, the California-based company hired former chief security officer at Facebook Inc Alex Stamos in April and rolled out major upgrades.
Some of the background, below. Zoom was pressed by activists to make this move, and it's a good one.
"A coalition of tech organizations, nonprofits, and tens of thousands of internet users rebuke @zoom_us for making end-to-end encryption a premium feature"
Cc: @Mozilla, @eff, @fightfortheftr https://t.co/m90NoO4ceo
— Jonathan Rozen (@Rozen_J) June 17, 2020
Mozilla, EFF, 19,000 Citizens Urge Zoom To Reverse End-to-End Encryption Decision https://t.co/TDRl2pXwOY
— Eric Vanderburg (@evanderburg) June 16, 2020
Mozilla, EFF, 19,000 Citizens Urge Zoom To Reverse End-to-End Encryption Decision https://t.co/KYTkJ3b00S
— Slashdot (@slashdot) June 16, 2020