15.3 C
New York
Tuesday, April 16, 2024

Zoom Reverses Course and Promises End-to-End Encryption for All Users

After weeks of criticism over its inflated encryption claims, videoconferencing platform Zoom announced in early April that it would develop full end-to-end encryption for video and audio calls made through the service. At the end of May, though, the company said that this protection would only be available to paying customers—free accounts would be out of luck. But on Wednesday, the company walked this tiered system back, pledging to provide end-to-end encryption to any user.

Zoom said a preliminary beta of its end-to-end encryption feature would begin in July. The protection will be off by default, and hosts will have the option to enable it every time they create a meeting. Corporate administrators will be able to enable or disable the feature for an entire institution or groups of users. It's opt-in, Zoom says, because end-to-end encryption won't be compatible with all conferencing equipment or participants joining from regular phones. Crucially, to enable end-to-end encryption, free users will need to submit and verify an identifying piece of data, like a phone number. Paying users will have already entered identifying info through their sign-up process.

"Today, Zoom released an updated E2EE design on GitHub. We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform," Zoom CEO Eric Yuan wrote in a blog post. "This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe—free and paid—while maintaining the ability to prevent and fight abuse on our platform."


When two or more devices communicate over the internet, end-to-end encryption allows data to move back and forth between them in a form that is indecipherable to anyone other than the participants. This protects the data from potential eavesdroppers like governments, internet service providers, or communication platforms themselves. Access to end-to-end encryption has emerged as a human rights issue, but governments have increasingly moved to limit deployment of true end-to-end encryption, because they say it hinders law enforcement efforts.

In promising to add end-to-end encryption, Zoom waded into this debate. And the company seemed wary of the stakes in its initial statements on the subject. Yuan said in a company earnings call that Zoom wouldn't extend end-to-end encryption to free users, "because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose."

A company spokesperson added on June 3 that "Zoom has engaged with child safety advocates, civil liberties organizations, encryption experts, and law enforcement to incorporate their feedback into our plan. Finding the perfect balance is challenging."

Zoom claimed at the time that the big limitation was its inability to identify free users. "Free users sign up with an email address, which does not provide enough information to verify identity," the same spokesperson said at the time. But on Wednesday, Zoom seemed to have solved the conundrum by requiring unpaid accounts to submit a phone number or other identifier before using end-to-end encryption.

After Facebook announced that it would expand end-to-end encryption from its WhatsApp messaging platform to all of its chat apps, including Messenger and Instagram messaging, the company started dealing with intense pressure from the United States Department of Justice about the degree to which this might impede investigations into child sexual abuse and other crimes committed on the platforms. And the Justice Department has become increasingly anti-encryption overall in recent years, calling for tech companies to create so-called backdoors for law enforcement access. Now Zoom may end up in the crosshairs.

"This is a big victory for grassroots activists who fought hard to make sure that Zoom offers strong encryption to everyone, not just to their corporate clients and those who can pay," says Evan Greer, deputy director of the digital rights organization Fight for the Future. "End-to-end encryption is one of the most important technologies keeping people safe online, and it's essential for basic human rights. Companies should stand up for their users' rights by refusing to enter into partnerships or build backdoors for law enforcement agencies."

In addition to weighing possible government pushback, though, Zoom also had to consider the desires of its users, who can already access the feature for smaller video calls on Apple's FaceTime and WhatsApp. "At this point, end-to-end encryption is a basic security and privacy technology that should be included by default wherever and whenever possible," says Brown University cryptographer Seny Kamara. "I’m really happy Zoom is providing it for everyone. I wish they had done it in the first place, but better late than never."

The move also comes amidst mounting public pressure. Fight for the Future participated in organizing a petition that collected close to 51,000 signatures demanding that Zoom offer end-to-end encryption for all. On Tuesday, Mozilla and the Electronic Frontier Foundation also published an open letter with the same demand that had close to 20,000 signatures.

"While I am sure the DoJ will be unhappy with Zoom's choice, I believe the anti-abuse controls that Zoom announced, such as verifying a phone number, will help to mitigate the abuse that Zoom was previously trying to prevent by the more extreme measure of barring free accounts from getting E2EE entirely," says Riana Pfefferkorn, the associate director of surveillance and cybersecurity at Stanford's Center for Internet and Society. "Contrary to DoJ's talking points, it has never been the case that end-to-end encryption completely cuts off all possible ability to detect and investigate crime and abuse. Zoom's announcement today demonstrates that other measures can be brought into play that do not require sacrificing users' privacy and security."

It will likely be a few more months before Zoom's end-to-end encryption rolls out. But when it does, at least everyone will get to use it.

Related Articles

Latest Articles