Zoom on Wednesday backtracked on an earlier decision and said it would provide end-to-end encryption for all users — even ones on the free tier.
After a series of privacy and security blunders, Zoom promised strong encryption and protections for users. But initially, end-to-end encryption was only planned for paid users in an effort to combat abuse.
After consulting with encryption experts, civil liberties groups, child safety advocates and government officials, however, Zoom announced that all users of its video conferencing tool will be able to enable end-to-end encryption.
The backtrack follows a pair of letters that were penned to the company by digital rights groups, such as the Mozilla Foundation, and tens of thousands of concerned users.
"Since releasing the draft design of Zoom's end-to-end encryption (E2EE) on May 22, we have engaged with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others to gather their feedback on this feature," Zoom CEO Eric Yuan said.
Originally, Zoom says it nixed encryption for free users to comply with law enforcement and curb the creation of abusive accounts. Now, however, the company said it will explore "new technologies" to enable it for everyone. Free users, for example, will need to verify themselves by inputting a phone number in the signup process. Zoom says that'll keep bad actors from creating multiple accounts.
The video conferencing company also released an updated end-to-end encryption design on Github.
Zoom has had a number of privacy and security gaffes in the wake of its boom in popularity due to coronavirus, including a phenomenon known as "Zoombombing" and several security vulnerabilities. The company also caught flack for making misleading statements about its encryption offerings.
End-to-end encryption on Zoom will launch as an optional feature in early beta in July.
6 Comments
Finally, they made the right decision.
It is like pulling teeth to get these bozos to do the obvious right thing, and they seem alarmingly clueless about their plans and direction. Kudos To them for coming up with an interactive class/chat software that participants find easy to use (to the surprise of the far more obvious companies who allowed their products to be expensive and unintuitive), but they don’t seem to have any clear vision from the host side, and very much over promised and under delivered.
I applaud Zoom’s disruption of the market, but I would love Apple’s designers to have something better available for more than just Classroom. Zoom’s main contribution is that they’ve mainstreamed the class/group/webinar market, and that’s not going away going forward. Apple, Slack, Microsoft, Cisco, Go2Meeting and the rest need to up their game on community and business group classes/meetings software and not just rest on their “group chat” laurels.
I would like to know who will be validating the actual end-to-end encryption Zoom says they are adding to the free version. Will Github members look through the code and see if they can break and/or bypass the encryption process or will we just have to take their word for it?
Both of the following are for government use of Zoom. I don't know if they have been or are using the government version of Zoom which might already have some kind of E2EE.
https://blog.zoom.us/wordpress/2019/05/07/zoom-achieves-fedramp-moderate-authorization/ Dated May 7, 2019. FedRAMP must be the (stupid) self-approved risk management program, which means each government installation can use a risk management program to see if they will accept the risk for any problems. It used to be a separate agency did the approval and accepted the risk. Now it's accepted by whomever is in charge of the system. Of course this means they can do whatever they want to do and hope nothing bad happens.
https://www.stripes.com/news/us/zoom-for-official-use-is-no-longer-an-option-for-dod-personnel-report-says-1.625973 Dated April 14, 2020
There might be never articles, these popped up first. When I was working for a government contractor I used to worry about these things but it looks like notbody is really worried anymore.
I guess they had to finally at least appear to do something for security after it turns out that the Chinese Communist Party had free access to block any "inconvenient" account that they wanted to: https://www.businessinsider.com/zoom-china-censorship-tiananmen-square-2020-6
I have no idea how the heck Zoom is still in business in USA, working with the gov and schools etc.