Zoom will finally roll out end-to-end encryption next week.
Video-conferencing Zoom is rolling out a technical preview of its end-to-end encryption (E2EE).
Zoom has faced various controversies around its encryption policies over the past year, including several lawsuits alleging that the company falsely told users that it offers full encryption. Then, the platform came under attack in May when it announced that it would indeed offer E2EE – but to paid users only.
Backlash
The company later backtracked after backlash from privacy advocates, who argued that security measures should be available to all. Zoom will now offer the feature to free/”Basic” users.
The 1st phase of the E2EE rollout aims to solicit feedback when it comes to its policies. Users will be able to weigh in during the first 30 days. Users will need to turn on the feature manually.
“We’re pleased to roll out Phase 1 of 4 of our E2EE offering, which provides robust protections to help prevent the interception of decryption keys that could be used to monitor meeting content,” explained Max Krohn, Head of Security Engineering with Zoom, in a Wed. post.
End-To-End Encryption Errors
Encryption is critical for Zoom as it ramps up its security & privacy measures – particularly after various security flaws & privacy issues exposed weaknesses in the online meeting platform, as its user base grew exponentially during the coronavirus pandemic.
Zoom previously commented that it offered E2EE, but that marketing claim came into question after a Mar. report from The Intercept suggested that Zoom’s platform actually uses transport layer security (TLS) encryption, providing only encryption between individual users & service providers, instead of directly between the users of a system.
E2EE
While “encryption” means that in-transit messages are encrypted, true E2EE occurs when the message is encrypted at the source user’s device, stays encrypted while its routed through servers, & then is decrypted only at the destination user’s device.
On the heels of this backlash, Zoom in May acquired a small start-up called Keybase, with the aim of providing more robust encryption for Zoom calls.
In next week’s rollout, Zoom’s E2EE offering will use public-key cryptography, meaning that the keys for each Zoom meeting are generated by participants’ machines (as opposed to Zoom’s servers).
Compromised Keys
“While this is still limited across the features it’s enabled for, it represents a significant step in the right direction with regards to ensuring user security & privacy on the platform,” Jack Mannino, CEO at nVisium, explained. “Distributing keys to the clients & decentralising trust gives users increased assurance that their communications are less likely to be intercepted through compromised keys or infrastructure.”
Says Krohn, “Encrypted data relayed through Zoom’s servers is indecipherable by Zoom, since Zoom’s servers do not have the necessary decryption key. This key management strategy is similar to that used by most end-to-end encrypted messaging platforms today.”
Next Week’s Rollout
Zoom hosts can enable E2EE at the account, group, or user level in their settings. Zoom outlined that in Phase 1 of its rollout, all meeting participants must join from the Zoom desktop client, mobile app, or Zoom Rooms. In order to see that E2EE is enabled, participants can look for a green shield logo in the upper left corner of their meeting screen with a padlock in the middle.
Enabling the feature may disable certain other features, such as “join before host,” cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat & meeting reactions, commented Zoom.
Top Priority
“Zoom’s top priority is the trust & safety of our users, & our implementation of E2EE will allow us to continue to enhance safety on our platform,” explained Zoom. “Free/Basic users seeking access to E2EE will participate in a 1-time verification process that will prompt the user for additional pieces of information, such as verifying a phone number via text message.”
Zoom said the 2nd Phase of the rollout, which will include better identity management & E2EE single sign-on (SSO) integration, is road-mapped for 2021.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2020/