Zoom to offer end-to-end encryption to all users
Zoom has changed its stance on end-to-end encryption and says it will now offer the security feature to all users.
The video conferencing app said in May it was introducing the encryption, but only to its paying subscribers.
However, chief executive Eric Yuan has now confirmed that after receiving feedback from users and online safety organisations, it will make end-to-end encryption available to all its users – both free and paid.
End-to-end encryption (E2EE) makes content and data from meetings inaccessible to anyone other than those in the conversation.
Mr Yuan said the company had “identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform”.
“This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform,” he said.
Zoom has come under intense scrutiny over its security since the coronavirus outbreak, with lockdown driving a massive spike in Zoom users as millions of people began working and studying from home.
A number of security issues were quickly identified in the app, and Zoom was also criticised for previously suggesting on its website that it used end-to-end encryption when analysis showed it did not.
‘Zoombombing’, the practice which allowed strangers to use a loophole in meeting settings to gatecrash video calls, often bombarding participants with offensive and abusive content, has been one of the most high-profile flaws raised about the platform.
The company apologised for the issues and at the beginning of April and announced a shift in development, which saw the firm abandon all other new feature work to focus on improving Zoom’s security tools and fix the issues flagged to the firm.
It has since started rolling out a number of updates fixing these flaws.
As part of the expansion of end-to-end encryption, Mr Yuan said free and basic subscription holders would need to take part in a one-time authentication process where they sign-up with a phone number and then verify it from a text message sent to them.
“We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse,” Mr Yuan said.
He confirmed that Zoom is planning to begin a beta test of the new feature in July.
However, children’s charity the NSPCC said Zoom’s decision will endanger children online, and claimed their safety was being compromised over commercial aims.
Andy Burrows, the NSPCC head of child safety online policy said: “This move is fundamentally risky and will drive child abusers to Zoom. The company say they made this decision after speaking to child safety advocates but we expressly advised Zoom not to encrypt until and unless they can guarantee children’s protection won’t be compromised.
“Once again children are the losers in a trade-off between safety and commercial drivers. Zoom’s text verification system shows a complete misunderstanding of child protection if they think offenders don’t have access to burner phones.
“The UK Government must take bold action with online harms legislation that creates a regulator to hold tech directors criminally accountable if their company’s design choices, including encryption, allow sexual abuse against children.”