As you may recall, earlier this month Zoom revealed that it would only enable end-to-end encryption on paid accounts. The free accounts were not going to get that protection. After public outcry (and, I suspect, loss of customers), Zoom now says it will add end-to-end encryption for all users starting in July of 2020.
Since releasing the draft design of Zoom’s end-to-end encryption (E2EE) on May 22, we have engaged with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others to gather feedback on this feature. We have also explored technologies to enable us to offer E2EE to all tiers of users.
Zoom has released an updated E2EE design on GitHub.
In its blog post, Zoom states that the updated E2EE design “balances the legitimate right of all users to privacy and the safety of users on our platform.” In addition, Zoom says the new design will enable them to “maintain the ability to prevent and fight abuse” on their platform.
There is a bit of a “catch”, however. Free/Basic users will not automatically have the E2EE applied. In order to get it, these users must give Zoom a verifying phone number via a text message.
In other words, users have to give Zoom more information before they can get E2EE protections. I’m not sure how many people trust Zoom with their phone number, considering (as TechCrunch reported in April) Zoom routed some calls made in North America through China – along with encryption keys.
Zoom says the early beta of the E2EE feature will begin in July of 2020. Betas are known to be a bit wonky, as users discover “bugs” and other problems. I wouldn’t consider a beta of E2EE to offer much protection.
Hosts of Zoom calls will be able to toggle E2EE on or off on a per-meeting basis. Account administrators will also be able to enable and disable E2EE at the account and group level. To me, it sounds like people using a free Zoom account will be told they have E2EE protection (sometime after the beta ends). But, they won’t really have it if their employer can turn it off.