The popular but embattled video conferencing platform Zoom seemed to wander into another minefield earlier this month, as it announced the rollout of end-to-end encryption but appeared to be limiting it to business and enterprise accounts. The move stirred up controversy as Zoom CEO Eric Yuan said rather bluntly on an earnings call that it was done to give law enforcement access to individuals using the platform for crimes such as sex trafficking.
The company has now chosen to navigate around this problem in a different way. Free users and those subscribed to the individual “Pro” plan will be allowed to enable end-to-end encryption, but will have to provide additional personal information to do so.
How Zoom’s new free end-to-end encryption works
A blog post from the company gave preliminary details on how the new end-to-end encryption feature, which is slated to go active sometime in July, is planned to work. “Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts … This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform” said Yuan.
In other words, the process for free users to enable end-to-end encryption appears to be similar to the mandatory two-factor authentication (2FA) schemes that sites like Amazon now require to secure user accounts. In addition to an email address, Zoom users will need to provide something like a valid phone number to receive a verification call or text message at to receive a code to be entered back into the site. Once verified in this way, users will be able to join calls in which the call administrator has toggled on the end-to-end encryption feature.
The details are not yet finalized, but Zoom has shared an overview in the form of a whitepaper hosted on Github. The original plan for end-to-end encryption had limited it to the organizational tiers of the paid version of the service, which would have required users to have some sort of company account to make use of it.
Zoom’s end-to-end encryption problem
Zoom has weathered a long chain of criticisms and controversies regarding its security and data handling practices since the company’s sudden and unexpected growth due to the Covid-19 pandemic. It has struggled to scale up what were initially modest security offerings when it was a convenience-focused business tool of middling popularity prior to widespread global lockdowns and social distancing measures.
One particular problem for the company has been the rapid adoption of the platform as a tool for schools to conduct virtual classrooms. Zoom suddenly onboarded a massive amount of young users due to school closures, a demographic the company was clearly not prepared for. Child sex trafficking was an existing problem on the platform even before the pandemic, with abusers taking advantage of its anonymous nature to trade child porn and put on virtual “shows.” The problem has become more acute with the added presence of millions of homebound children during the school year, giving rise to serious concerns about grooming and the use of techniques such as “Zoombombing” to gain unauthorized access to their spaces.
Under the original plan, children would have needed an account provided by a school subscribed to Zoom’s paid services to be protected by end-to-end encryption. Civil rights groups also spoke out against the initial proposal, pointing out that potentially vulnerable political speech and organization would have gone unprotected and could have been readily eavesdropped on by authorities.
Unless a backdoor is added, end-to-end encryption ensures that only the participating parties have access to the video calls and any files shared during a conference. Zoom staff are not able to access the call, nor are law enforcement even if a warrant is obtained. An outside party would need physical access to the encryption key on a user’s device along with their password to be able to access their communications on the platform.
One of Zoom’s bigger controversies this year was that it had been falsely advertising end-to-end encryption on the platform until early April. It was discovered that this was not true; Zoom had simply made a “promise” to not decrypt transmissions across their platform rather than actually implementing true end-to-end encryption. The decryption keys were stored on Zoom’s servers, some of which were in China (giving the country’s government the ability to access communications at will). The site was also found to be using an outdated form of more basic encryption, something that has since been updated to a standard that is more secure and modern.
Zoom’s new encryption will still have issues & limitations
Though Zoom’s new end-to-end encryption option is a welcome change, it will still have some limitations. Call admins will have to toggle it off for participants using regular PSTN landlines or SIP/H.323 legacy conference room phones; it appears there will be an option to toggle it off for specific users, but some may simply leave it off all the time to avoid the confusion and extra work. End users will also be reliant on the call admin being vigilant about toggling it on for each session. And at Zoom’s end, the added steps on account creation are not a complete solution to the creation of abusive accounts; determined threat actors can still create a free anonymous phone number with services such as Google Voice, or use an inexpensive burner phone.