Zoom will provide end-to-end encryption to all users

Zoom's CEO Eric S. Yuan today announced that end-to-end encryption (E2EE) will be provided to all users (paid and free) after verifying their accounts by providing additional identification info such as their phone number.

"We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform," Yuan said.

"This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform."

This update in Zoom's plans comes after the company announced on May 27 that E2EE will be available only to paying customers, with free/basic users to only get access to 256-bit GCM encryption.

Users asked to verify their accounts to enable E2EE

To provide all Zoom users with access to E2EE, Yuan says that they will have first verify their accounts through various means such as by verifying their phone numbers via text messages.

"Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts," Yuan explained.

"We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse."

An initial draft cryptographic design for Zoom's planned E2EE offering was published on GitHub on May 22 and a second updated version was committed today (a list of all the changes is available here). 

According to an update to the company's 90-day security plan, "end-to-end encryption won’t be compatible with an older version of the Zoom client, and all participants must have an E2EE-enabled client to join the meeting."

The company also said that it will not force users with free accounts to use E2EE as both free and paid users will have the choice to enable it for their meetings. 

"With Zoom’s current Enhanced Encryption offering, encryption keys are created on Zoom’s servers and distributed to the meeting participants," Zoom added.

"Each key is randomly generated and only used for one meeting, then thrown away. In end-to-end encryption, one meeting participant generates the encryption key and uses public key cryptography to distribute this key to the other participants; Zoom’s servers never see the key."

Rollout starting July 2020

According to Yuan's announcement, an early beta of Zoom's E2EE feature will begin rolling out starting with July 2020.

Account admins will be able to toggle on or off 2EE on both group and account levels, as it will roll out as an optional feature.

E2EE will be easy to enable or disable on a per-meeting basis to work around limited meeting functionality like "the ability to include traditional PSTN phone lines or SIP/H.323 hardware conference room systems."

Zoom users can continue to use the current AES 256 GCM transport encryption as their default encryption, which, according to Yuan, is "one of the strongest encryption standards in use today."

Last week, Zoom admitted that it deactivated the accounts of US-based, pro-democracy Chinese activists (Lee Cheuk-yan, Wang Dan, and Zhou Fengsuo) at the request of the Chinese government following a Zoom meeting on the anniversary of the Tiananmen Square Massacre.

"Going forward Zoom will not allow requests from the Chinese government to impact anyone outside of mainland China," Zoom said.


Update June 18, 10:20 EDT: Added E2EE info shared in Zoom's 90-day security plan update.

Related Articles:

New ShrinkLocker ransomware decryptor recovers BitLocker password

New tool bypasses Google Chrome’s new cookie encryption system

New Qilin ransomware encryptor features stronger encryption, evasion