Zoom Finally Rolls out End-to-End Encryption

Zoom has finally announced its end-to-end encryption (E2EE) capabilities will be made available to users, significantly enhancing the security of video and voice calls.

The video conferencing giant’s head of security engineering, Max Krohn, said the first of a four-phase roll-out would begin next week. During this “technical preview,” users will be able to provide feedback to the firm for the first 30 days.

Zoom’s E2EE is based on the same AES 256-bit GCM encryption it currently uses but will add an extra layer of security to calls when conference hosts deem it important. As keys aren’t stored by the company itself, it could reassure those concerned about Zoom’s large China-based engineering team.

“In typical meetings, Zoom’s cloud generates encryption keys and distributes them to meeting participants using Zoom apps as they join,” explained Krohn.

“With Zoom’s E2EE, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants. Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents.”

The functionality is available to free and paid users and can host up to 200 participants in a meeting. However, features including join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat and meeting reactions are not available with E2EE in this first phase.

Zoom came in for strong criticism early in the year when it said E2EE would only be available for paid users because, in the reported words of CEO Eric Yuan, “we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose.”

It quickly backtracked on the issue after industry uproar. However, on another occassion, Zoom was called out for falsely claiming it provided E2EE when it did not.

The timing of Zoom’s announcement could be better, however: the Five Eyes nations plus India and Japan recently signed yet another statement calling on tech firms to build backdoors into end-to-end encryption in order to allow law enforcement to access data on suspects.

Zoom could now be dragged into this long-running tussle between Western governments and US tech firms.

What’s Hot on Infosecurity Magazine?