Zoom to Offer End-to-End Encryption for All UsersTeleconference Company Describes Series of Security Measures
Zoom will begin beta testing an end-to-end encryption feature in July that it plans to make available at not charge to all who use the paid or free version of its teleconference platform, the company says in its latest 90-day security plan progress report.
Zoom CEO Eric Yuan says the end-to-end encryption was developed in partnership with users, civil liberties organizations and the CISO council the company organized earlier this year.
"We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform,” Yuan says. “This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe - free and paid - while maintaining the ability to prevent and fight abuse on our platform."
Users who want to implement the new encryption feature will have to participate in a one-time process that will help the company to further identify the user by verifying their phone number via text message, Yuan notes.
Zoom embarked on a 90-day security plan on April 1, promisinig to commit the resources needed to better identify, address and fix security issues.
The COVID-19 outbreak, which triggered a shift to working from home, led to a massive increase in the number of Zoom users which, in turn, resulted in security and privacy issues being exposed. This included so-called Zoom bombing hacking incidents as well as the company inadvertently sharing user's email addresses, photos and names with Facebook by default.
Several zero-day vulnerabilities were also discovered and patched.
In Zoom’s first quarter financial statement, the company reported a 354% increase in the number of customers with 10 or more employees compared to the same period last year, reaching a total of more than 265,000 such customers. The increase in business resulted in net income of $27 million, up from $2.2 million a year ago.
EFF Approves of Changes
Zoom's addition of encryption for all users was welcomed by the Electronic Frontier Foundation, which had criticized the company for not previously offering more robust privacy and security features.
Zoom attracted “new users that the company never expected and did not design for, and all the unanticipated security and privacy problems that come with that sudden growth," Gennie Gebhart, the foundation’s associate director of research, notes.
Benefits of E2EE
End-to-end encryption is an added layer of security on top of the AES 256-bit GCM enhanced encryption that was put into place on May 30.
Under the AES 256-bit GCM encryption model, a one-time key is generated for each meeting. With E2EE, one meeting participant generates an encryption key and then uses public key cryptography to distribute this key to the other participants. This transfer takes place without the data going through Zoom’s servers. The meeting data itself is still protected with AES 256-bit GCM encryption, according to Zoom.
Administrators will have the ability to disable the E2EE feature at the account and group level, and it also can be turned off for a specific meeting because E2EE can limit some meeting functionality, such as the ability to include PSTN phone lines or SIP/H.323 hardware conference room systems, Zoom notes.
Additional Security Measure
In addition to enhanced encryption, Zoom is adding security protocols in the coming weeks. For example:
- Account administrators will be able to disable the ability to log in to Zoom with an email address and password, requiring users to sign in through SSO or other third-party logins that Zoom offers.
- Account administrators will be able to whitelist domains so participants can bypass the waiting room and directly join a meeting;
- Account owners and admins will have the ability to set the amount of time that Zoom phone user data - call logs, ad hoc/automatic call recordings, voicemail recordings and transcriptions - is retained.
Zoom also announced that starting in July, it will host a series of CISO roundtables where up to 40 participants can ask questions about its cybersecurity measures.