While reporting ground breaking growth numbers during its earnings call, Zoom CEO, Eric Yuan, had made a statement that worried security and privacy advocates the world over. Yuan said that the company is looking to make end-to-end encryption (E2EE) a paid feature, and won’t allow access to it for free users. More importantly, Yuan said the company will do this “because we also want to work together with the FBI, with local law enforcement in case some people use Zoom for a bad purpose.”
“Basic security shouldn’t be a premium feature that’s only available to wealthy individuals and big corporations,” said Evan Greer, deputy director at digital rights advocacy group Fight for the Future, via a tweet. “I have been pleasantly surprised with Zoom’s quick and decisive responses to security criticism recently, but after a feedback call they hosted this morning about their end-to-end encryption plan I am back to being disappointed,” said Gennie Gebhart, Associate Director for Research at the Electronic Frontier Foundation (EFF).
In response, the company’s security consultant Alex Stamos, who joined Zoom to consult on its privacy issues earlier this year, took to Twitter to explain the company’s stance on E2EE. Stamos explained that all meetings on the platforms are currently encrypted. “All users (free and paid) have their meeting content encrypted using a per-meeting AES256 key. Content is encrypted by the sending client and decrypted by receiving clients or by Zoom’s connector servers to bridge into the PSTN network and other services,” he said.
While this indeed provides a layer security, it’s not the same as E2EE, which ensures that only the sender and receiver of a message (in this case a video call) can read the message. With E2EE, even the holding company (in this case Zoom) won’t be able to monitor calls happening on its servers. E2EE is the reason why WhatsApp can tell governments worldwide that they cannot access what users say using the platform.
Without E2EE, free users will remain vulnerable to man-in-the-middle (MiTM) attacks, a common form of attack used by cybercriminals. MiTM attacks are used to eavesdrop on conversations and can even be used to alter information travelling between two users without their knowledge.
That said, Stamos also clarified that Zoom doesn’t “proactively monitor content in meetings” and the company will not do so in future either. “Zoom doesn’t record meetings silently. Neither of these will change. Our goal is to offer an end-to-end encryption solution that provides a stronger guarantee,” said Stamos.
Stamos defended Zoom’s decision by saying, “The current decision by Zoom’s management is to offer E2EE to the business and enterprise tiers and not to the limited, self-service free tier. A key point: organizations that are on a business plan but are not paying due to a Zoom offer (like schools) will also have E2EE.”
Zoom’s stance on E2EE seems to be swayed towards what governments want service providers to be. World governments, including India’s, have asked apps like WhatsApp to build a backdoor into their E2EE protections so that user’s chats can be accessed if required by law enforcements etc. However, privacy advocates and companies have repeatedly argued that building such backdoors breaks the whole idea of E2EE and is akin to removing it.
Some have also defended Zoom, saying that its service cannot be gauged with the same standards as WhatsApp etc. Stamos also pointed out that none of the “major players” offer E2EE by default, naming Google Meet, Microsoft Teams, Cisco WebEx and BlueJeans, which are Zoom’s primary competition. “WebEx has an E2E option for enterprise users only, and it requires you to run the PKI and won’t work with outsiders. Any E2E shipping in Zoom will be groundbreaking,” he added.