Zoom U-turns on end-to-end encryption

In a major victory for activists and civil liberties organisations, Zoom, the controversial video-conferencing app which has found itself under pressure over comments made by its CEO Eric Yuan about consumer security, has said it will offer end-to-end encryption to all free and basic users subject to sign-up.

Earlier in June, Yuan said free users would be excluded from a planned roll-out of end-to-end encryption so that Zoom could hand over their data to the FBI and other law enforcement agencies if required.

This prompted outrage from privacy advocates and campaigners, who earlier this week submitted open letters and petitions to Zoom calling it to rethink this policy.

Ashley Boyd, Mozilla Foundation vice-president of advocacy and engagement, said that end-to-end encryption should not be something that only businesses or people with money should be able to benefit from.

“Zoom’s decision will leave journalists, activists, low-income internet users, and a host of others more vulnerable to snooping. We urge Eric Yuan and Zoom to listen and to reverse course. At a time when everyone and everything is increasingly connected, privacy and security need to be the default, not a luxury,” said Boyd.

“We believe all users should have access to the strongest privacy and security, regardless of their ability to pay. And we’re not alone in that belief,” she added.

Campaigner Lau Barrios of MPower Change, an organisation which advocates for the rights of Muslims, said: “End-to-end encryption has always been a racial justice issue because it most directly protects black, brown, Muslim and poor communities from the disproportionate risk of surveillance, policing and criminalisation.

“Zoom has already misled the public once on whether or not they use end-to-end encryption. Openly defending their refusal to provide it to those not wealthy enough to pay to protect themselves and their communities is unconscionable. And it’s a direct refusal to protect activists and organisers from surveillance in this moment,” she said.

In a blog post, Eric Yuan said that Zoom had engaged with civil liberties organisations, its CISO advisory council, child safety advocates, encryption experts, representatives of government bodies and its own users to gather feedback on its draft design for end-to-end encryption, and had explored new technologies to enable it to offer full encryption to all users.

It has now released an updated end-to-end encryption design – which can be found on GitHub – as it charts a path forward that, according to Yuan, “balances the legitimate right of all users to privacy and the safety of users on our platform”.

Going forward, free or basic users who want to take advantage of end-to-end AES 256 GCM transport encryption will be asked to participate in a one-time process that will prompt them for additional information, such as verifying their phone number via an SMS message.

“Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools – including our Report a User function – we can continue to prevent and fight abuse,” said Yuan.

“We are grateful to those who have provided their input on our end-to-end encryption design, both technical and philosophical. We encourage everyone to continue to share their views throughout this complex, ongoing process,” he said.

The new feature will move into beta testing in July 2020. It will be an optional feature because it will be necessity limit some meeting functionality, such as the ability to include PSTN phone lines or SIP/H.323 hardware conference room systems. Meeting hosts will be able to switch it on or off if wanted, and account admins will be able to enable or disable it at the account and group level.