Zoom U-turns on no e2e encryption for free users

KATWIJK, NETHERLANDS - APRIL 4: In this photo illustration, the website of Zoom Video Communications Inc is seen on April 4, 2020 in Katwijk, Netherlands. (Photo by Yuriko Nakao/Getty Images)"n
KATWIJK, NETHERLANDS - APRIL 4: In this photo illustration, the website of Zoom Video Communications Inc is seen on April 4, 2020 in Katwijk, Netherlands. (Photo by Yuriko Nakao/Getty Images)"n
Natasha Lomas

In a major security U-turn, videoconferencing platform Zoom has said it will, after all, offer end-to-end encryption to all users -- including those who do not pay to use its service.

The caveat is that free users must provide certain "additional" pieces of information for verification purposes (such as a phone number where they can respond to a verification link) before being allowed to use e2e encryption -- which Zoom says is a necessary check so it can "prevent and fight abuse" on its platform. However it's a major step up from the prior offer of 'no e2e unless you pay us'.

"We are grateful to those who have provided their input on our E2EE design, both technical and philosophical," Zoom writes in a blog update today. "We encourage everyone to continue to share their views throughout this complex, ongoing process."

The company faced a storm of criticism earlier this month after Bloomberg reported comments by CEO Eric Yuan, who said it did not intend to provide e2e encryption for non-paying users because it wanted to be able to work with law enforcement.

Security and privacy experts waded it to blast the stance. One notable critic of the position was cryptography expert, Matthew Green -- whose name you'll find listed on Zoom's e2e encryption design white paper.

"Once the precedent is set that E2E encryption is too 'dangerous' to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it’s going to be hard to put it back," Green warned in a nuanced Twitter thread.

https://platform.twitter.com/widgets.js

Since the e2e encryption storm, Zoom has faced another scandal -- this time related to privacy and censorship, after it admitted shutting down a number of Chinese activists accounts at the request of the Chinese government. So the company may have stumbled upon another good reason for reversing its stance -- given it's a lot more difficult to censor content you can't see.

Explaining the shift in its blog post, Zoom says only that it follows a period of engagement "with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others".

"We have also explored new technologies to enable us to offer E2EE to all tiers of users," it adds.

Its blog briefly discusses how non-paying users will be able to gain access to e2e encryption, with Zoom writing: "Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message."

"Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools -- including our Report a User function -- we can continue to prevent and fight abuse," it adds.

Certain countries require an ID check to purchase a SIM card so Zoom's verification provision may make it impossible for some users to access e2e encryption without leaving an identity trail which state agencies could unpick.

Per Zoom's blog post, a beta of the e2e encryption implementation will kick off in July. The platform's default encryption remains AES 256 GCM in the meanwhile.

The forthcoming e2e encryption will not be switched on by default -- but rather offered as an option. Zoom says this is because it limits some meeting functionality ("such as the ability to include traditional PSTN phone lines or SIP/H.323 hardware conference room systems").

"Hosts will toggle E2EE on or off on a per-meeting basis," it further notes, adding that account administrators will also have the ability to enable and disable E2EE at the account and group level.

Today the company also released a v2 update of its e2e encryption design -- posting the spec to Github.

More From

  • Berkeley's Innovative Genomics Institute is rolling out a spit test for COVID-19 testing

    Scientists from the University of California, Berkeley, have begun trials of a new spit test for COVID-19 infections developed by the university's Innovative Genomics Institute. Since the disease was first identified on U.S. shores, the Berkeley research institute led by the trailblazing CRISPR researcher Jennifer Doudna has worked tirelessly to bring innovative methods to diagnose and process viral samples and develop potential treatments for the disease to production. If the study proves that the new testing method can work as well as nasal swabs, then the Berkeley campus will be able to increase testing of students, faculty and staff ahead of the beginning of the school's fall semester in late August, according to a statement from the University.

  • Pioneering CRISPR researcher Jennifer Doudna is coming to Disrupt

    Jennifer Doudna, a woman whose work has triggered the explosion in innovation in the field of synthetic biology and has given researchers around the world a way to program and reprogram the living world, will be speaking at Disrupt in September. From her positions as the Chancellor's Chair Professor in the University of California, Berkeley's Chemistry and Molecular and Cell Biology Departments and a senior investigator at the Gladstone Institutes and professor at the University of California, San Francisco, Doudna has been at the forefront of research into CRISPR gene editing technology. It was only eight years ago that Doudna and Emmanuelle Charpentier first proposed that CRISPR-Cas9 enzymes (which direct immune responses in microbes) could be used to edit genomes.

  • Get your pitchdeck critiqued by Accel's Amy Saper and Bessemer's Talia Goldberg at Early Stage

    At TechCrunch Early Stage, our two-day virtual event focused on giving entrepreneurs all the resources they need to build incredible, high-growth early stage companies, we have plenty of content dedicated to the pitchdeck. From a session on how to think like a PM for VC pitch success led by Lo Toney, to a session on how to time your fundraising sprint led by Jake Saper, to seed funding tips and tricks from Jeff Clavier, there's something for everyone. Accel's Amy Saper and Bessemer's Talia Goldberg will lead the Pitchdeck Teardown, going over the look, feel and information provided within individual pitchdecks to share what they look for, what they don't want to see, and how to get the best outcome when you send a VC your deck.

  • Facebook discovers it shared user data with at least 5,000 app developers after a cutoff date

    Facebook says it accidentally allowed around 5,000 developers to access data from their app's inactive users, even though that access should have been cut off. The company explained on Wednesday it recently discovered an issue that had allowed app developers to continue receiving this information beyond the 90 days of inactivity that is meant to cut off data access until the user returns to the app and again re-authenticates. In 2018, Facebook announced a change to the way app developers would be able to access Facebook user data in the wake of the Cambridge Analytica scandal, which saw the personal data of 87 million Facebook users compromised.