The video conferencing platform Zoom is the most popular out there. And it finally gave in, as people urged it to provide end-to-end encryption for all users.
Previously, Zoom wanted to provide the encryption method to just its paying users. What this means, only those who pay for its services should benefit from the secure communication, where only the sender and the recipient can see the content.
Without end-to-end encryption, the content is only encrypted at a client-to-server, meaning that data is readable when it passes through the company’s servers.
In a meeting with investors, the company’s CEO, Eric Yuan, explained that Zoom planned to exclude free calls from end-to-end encryption to make sure it is still possible to “work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose”.
Soon, it started receiving criticisms a coalition of tech organizations, nonprofits, and tens of thousands of internet users for that plan.
In an open letter from Mozilla for example, it was said that end-to-end encryption is the "strongest possible security and privacy features should be available to all consumers."
And because end-to-end encryption is already a basic form of security in modern communication apps, this kind of security feature shouldn't be made premium that is only available to wealthy individuals and big corporations.
Encryption is a key issue for Zoom, which has been attempting to ramp up its privacy and security after heavy usage exposed security flaws during the 'COVID-19' coronavirus pandemic.
From data leaks to advocates saying that predators use Zoom, among others, to prey on children, strong encryption would make malicious and illegal contents difficult for moderators and police to catch. But at the same time, encryption would provide additional protection to users who are discussing sensitive information or are at risk of intrusion and harassment.
At the time, Yuan emphasized that encryption requires trade-offs as well, since people can’t do things like dial into an encrypted call with a phone. So it’s likely that even many business customers won’t use it all the time.
The problem was, Yuan's comments emphasized that Zoom wanted to have law enforcement backing it as one of its priorities.
A spokesperson for the company said that:
"Zoom’s end-to-end encryption plan balances the privacy of its users with the safety of vulnerable groups, including children and potential victims of hate crimes. We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity."
Zoom that had more than 300 million daily users but later corrected its statement to read “300 million daily Zoom meeting participants,” is a video platform that exploded in popularity after coronavirus-related lockdowns happen in many places around the world, forcing many to stay at home for work and study.
With the backlash, Zoom had to choose one side.
Zoom took a U-turn to its decision after speaking with civil liberties organizations, child safety advocates, encryption experts, government representatives, and users,
Announcing the change in a blog post, Yuan in a statement said that the company has "identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform."
This enables Zoom to offer end-to-end encryption "as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform. "
First, all Zoom users continue to use AES 256 GCM transport encryption as the default encryption.
Second, the end-to-end encryption, which Zoom has made public on GitHub, is meant to be an optional feature as it limits some meeting functionality, such as the ability to include traditional PSTN phone lines or SIP/H.323 hardware conference room systems.
For more privacy, hosts are given a way to manually turn on or off end-to-end encryption on a per-meeting basis.
To enable the feature, Yuan said free/basic users are required to verify their phone number via a text message. This risk-based authentication step should help limit the mass creation of abusive accounts.
“We encourage everyone to continue to share their views throughout this complex, ongoing process,” Yuan said.