Zoom is finally taking a major step to address ongoing data security and privacy criticism by adding an end-to-end encryption feature, but it will only be available as a premium paid feature. While that by itself would be a contentious move, CEO Eric Yuan has fanned the flames by stating that the decision was made so that the FBI and local law enforcement departments can have access to the communications of platform users.
Zoom’s new end-to-end encryption is pay-to-play
There is currently no timeline for when the new end-to-end encryption feature will be rolled out, but Zoom has confirmed that it will only be available to those paying for its upgraded Business or Enterprise services. Business customers are charged $20 per host and are required to purchase a monthly minimum of at least 10; Enterprise clients must purchase at least 100. The company did not make a statement on whether the paid Pro accounts (which run $15 per host per month) will or will not be able to use end-to-end encryption on their own.
Withholding a fundamental data protection feature until the user pays up is ethically questionable on its own. But Yuan, saying the quiet part out loud during an earnings call, admitted openly that the move was meant to be a compromise to appease law enforcement. Yuan claimed that Zoom is rife with people using it for “bad purposes” and wants to give law enforcement a clear path to them. Yuan did say that there may be some exceptions for nonprofit organizations or dissident groups, but did not commit to any specifics as to exactly who would qualify for free end-to-end encryption.
Not many details about the end-to-end encryption feature are available, but the company has stated that it will not have backdoors and that Zoom will not monitor the content of meetings. The company claims that it only volunteers information to law enforcement in the case of serious crimes such as child sex abuse.
The end-to-end encryption feature is being developed by Keybase, which Zoom purchased in early May.
Does Zoom have a crime problem?
There is an elevated risk of child grooming and sex trafficking during an extended pandemic lockdown period that has kids spending more time online and taking remote classes; there are no specific crime statistics to reference since the platform exploded in popularity several months ago, but federal prosecutor Austin Berry called Zoom the “Netflix of child pornography” during a trial in Pennsylvania in late 2019. He indicated that predators are attracted to it because live streams do not leave a stored record and are harder to trace, a view supported by lead Zoom security consultant Alex Stamos.
If the Pro subscription tier is not eligible for end-to-end encryption, Zoom users would need to be part of an organization with a subscription to use it. However, that would also mean that the majority of the platform’s user base would be operating without a fundamental security feature.
Some sources have claimed that the streaming of child pornography on platforms such as Zoom is more common than people realize, and that the law is such that an employee of the company needs to be able to monitor these streams in real time and testify to their content in order for charges to be brought against the perpetrators. The people that participate nearly always use free throwaway accounts (which require nothing more than an email address) to hide their identities, and would be very unlikely to abuse an end-to-end encryption feature if they were forced to tie a digital form of payment to it that could be used to track them down.
Encryption for free users
After widespread criticism for using an outdated and weak encryption standard, Zoom updated to AES 256-bit GCM and is no longer routing any traffic from outside of China through servers in that country. The company also added a number of requested security features with its 5.0 update in mid-April, and is in the middle of an ongoing 90-day feature freeze in which it is addressing nothing but privacy and security issues.
“Zoom does not proactively monitor meeting content, and we do not share information with law enforcement except in circumstances like child sex abuse,” the company said in a statement. “We do not have backdoors where participants can enter meetings without being visible to others.”
While this gives free users a good deal of protection from malevolent third parties, it does not actually prevent Zoom from monitoring meetings. End-to-end encryption puts the decryption key on the user’s device, requiring physical access to the machine to use it.
Zoom’s prospects during civil unrest
It remains to be seen what effect, if any, the current political climate will have on Zoom’s decisions and fortunes. What initially appeared to be an American phenomenon has turned into demonstrations throughout the world. Zoom’s user base has been rising in Hong Kong since the protests there began last year, driven by businesses and schools shifting meetings online due to unpredictable outbreaks of violence. Those organizing protests and related efforts are also likely to have interest in the platform since it has already been widely adopted, but are also likely to either push back or opt for another video conferencing platform if end-to-end encryption is not available to them.