Zoom will offer end-to-end encryption to all its users, paid and free, around the globe as an advanced add-on, the company announced on June 17. The company will introduce an early beta version of end-to-end encryption in July 2020. The company has released the second version of its white paper on end-to-end encryption for public feedback. Zoom had released the first white paper for consultation on May 22.

This announcement comes a fortnight after CEO Eric Yuan faced significant flack for saying that end-to-end encryption would only be available for Business and Enterprise users during Zoom’s earnings call. He had then said that the security feature would not be available to free users “[b]ecause we also want to work it together, see if this with FBI, with local law enforcement, in case some people they use Zoom for the better purpose”. Even then, it was not clear if Pro users, that is users on the cheapest paid plan, would be offered end-to-end encryption.

How will this work?

End-to-end encryption will be an optional feature. The default will be the “enhanced encryption” via AES 256 GCM encryption that Zoom started offering from May 30, that is, communication will be encrypted from sending client to Zoom server and from Zoom server to the receiving client; thus, Zoom will have access to the content of communication. If end-to-end encryption is enabled, the decryption will only happen on the device of the receiving client, thus making the communication opaque to Zoom servers. Thus, if communication is end-to-end encrypted, even if Zoom’s servers are hacked, the hacker would not have access to the content of such communication.

Once a meeting starts, users cannot toggle between end-to-end and enhanced encryption.

Why is end-to-end encryption optional?

As it limits some functionality such as the ability to dial in using traditional PSTN phone lines or SIP/H.323 hardware conference room systems, Zoom said. For dialing in using phones or SIP/H.323 devices, Zoom can only offer enhanced encryption where communication is decrypted at a Zoom server and re-encrypted before being sent to the receiver, the white paper explained.

Caveats

  • End-to-end encryption is not available for dial-in phones, SIP/H.323 devices, web browsers, Zoom webinars, and Zoom chat. “Join Before Host”, cloud recording and some other features will not be available.
  • While paid users will be authenticated by virtue of having made a payment, free users will have to participate in a one-time process that authenticates them. This could include verifying a phone number via a text message.
  • Account administrators can enable and disable end-to-end encryption at the account and group level.
  • In certain specific cases, such as to report abuse, secret keys and unencrypted meeting content will be provided to Zoom servers if authorised by the meeting host.

Unanswered questions

  • Will users get a notification if their account is switched from E2E to default AES 256 GCM encryption? Do users have to enable E2E for every conversation, or can they choose to enable it for every conversation as the default?
  • Does the meeting host decide whether a Zoom conversation is end-to-end encrypted, or does the administrator of the Zoom plan decide whether or not this feature should be made available to every user on the plan? Does this mean that if a company purchases a Pro, Business or an Enterprise plan, the administrator(s), as decided by the Zoom account owner, can decide which hosts and users have the end-to-end encryption feature? Or does it mean that the administrator, not the host, can decide which meetings will be end-to-end encrypted?
  • Since a meeting host can share secret keys with the Zoom servers to report abuse, does this mean that the meeting host has access to the keys, or that the keys have a lower level of encryption that can be decrypted for reporting purposes?
  • How can users other than the meeting host report abuse?
  • Since end-to-end encryption will be available to “all” Zoom users “around the globe”, does it include Chinese users whose data can only be routed through servers located in China and where Zoom no longer provides free accounts because of “regulatory requirements”? Could the Chinese government still order account takedowns?

We have reached out to the company with these questions.