Along with Zoom's meteoric rise has come a privacy and security blowback. In response to frustration over the videoconferencing service's vague and misleading encryption claims, Zoom brought on a small army of prominent cryptographers and security engineers as consultants, and acquired the secure communication company Keybase, in pursuit of real end-to-end encryption for its users. But it turns out that even when Zoom completes the feature, only paying customers will receive it—leaving Zoom's free users in the lurch.
End-to-end encryption allows data to move between devices in a form that is unreadable to anyone other than the recipients—protecting the information in transit from snooping by your internet service provider, the government, or communication platforms themselves. Privacy advocates strongly recommend it, while governments argue that it makes law enforcement's job harder. In the United States, the Department of Justice has doubled down on its anti-encryption stance in recent years, urging tech companies to create backdoors in their encryption for law enforcement access. Zoom's decision to limit end-to-end encryption to paid accounts seems to be an attempt at compromise.
"Free users for sure we don’t want to give that," Zoom CEO Eric Yuan said in a company earnings call on Tuesday referring to end-to-end encryption, "because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose."
Implicit in Yuan's comments is a presumed connection between people who use a service for free and criminal activity, which many privacy advocates decried Wednesday. In practice, requiring a paid account for end-to-end encryption could put it out of reach for the vulnerable groups who need it most, including activists, journalists, and nonprofits who often have limited resources
"Anyone who cares about public safety should be pushing for more encryption everywhere possible, not less," says Evan Greer, deputy director of the digital rights organization Fight for the Future. "For the company to say they’ll only keep your calls safe and secure if you pay extra—they’re leaving the people most likely to be targeted by surveillance or online harassment vulnerable. They have a chance to do something really good for human rights by implementing default end-to-end encryption to all users. But if they make it a premium paid feature, they’re setting a precedent that privacy and safety is only for those who can afford to pay for it."
End-to-end encryption is hard to get right under any circumstances, but especially for a video chat that can support up to a thousand participants. Everything from bandwidth to people dropping in and out of calls adds complexity to an already challenging problem. While services like Apple's FaceTime, Facebook's WhatsApp, and Google's Duo all offer end-to-end encrypted video chat for up to about a dozen participants, no one has ever come close to implementing it to the extent Zoom is pursuing.
"In principle it's doable, but in practice, and especially at Zoom's scale, it's a very difficult engineering problem," says cryptographer Jean-Philippe Aumasson. "It's not just about throwing some crypto code at the problem."
Zoom would also be the first widely used service of its kind, though, to fence off who could access those protections.
"Zoom’s end-to-end encryption plan balances the privacy of its users with the safety of vulnerable groups, including children and potential victims of hate crimes," a Zoom spokesperson said in a statement. "We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity."
Not all of Zoom's consultants on the end-to-end encryption project are convinced that charging for stronger privacy and security features is the right move, though. "Obviously I don’t think you should have to pay for E2E encryption," Johns Hopkins cryptographer Matthew Green wrote on Wednesday.
Security researcher Alex Stamos, former chief security officer of Yahoo and Facebook who has been consulting on Zoom's end-to-end encryption efforts, pointed out in a Twitter thread that free Zoom calls still benefit from encryption, albeit not end-to-end. He also said that end-to-end encryption will make it more difficult for Zoom to reduce abuse on its platform, even though the company is working on tailored reporting mechanisms for users.
Zoom's stance of withholding end-to-end encryption from free-tier users puts it at odds with a wider trend of adding encryption universally. Facebook in particular has dealt with intense pressure from the Justice Department to walk back its decision to end-to-end encrypt all of its platforms, including Messenger and Instagram. The company has been adamant that it can develop technologies that assist law enforcement as needed with these and other threats, while preserving free end-to-end encryption for billions of users.
If end-to-end encryption is a paid feature in Zoom, other video chat apps may follow suit, a precedent that could make strong encryption less attainable for the masses. "I think the CEO's wording was definitely poor, and if we only listen to that quote, then yes it sets a bad precedent," says security engineer Ben Adida, executive director of the nonprofit VotingWorks. "We should push back against this idea that baseline security, encryption, and privacy is a premium. However, I suspect that the CEO's quote is a poor summary of what's actually going on. I hope Zoom will be applying this great technology they're developing for all users."
Zoom did leave room for the possibility that its stance could eventually change. "The current decision by Zoom's management is to offer end-to-end encryption to business and enterprise tiers," the spokesperson said in a statement. "We are determining the best path forward for providing end-to-end encryption to our Pro users."
The company seemed to internalize pushback about its old encryption claims. But finding a workable compromise with law enforcement on the topic is a much taller order.