On June 3, we spoke to Zoom’s India head Sameer Raje about the company’s privacy troubles; what it has been doing to reassure the government amidst security concerns raised by the Home Ministry and in the Supreme Court; India-specific challenges and plans; and how the company plans are with regard to the Data Protection Bill.
An edited transcript of the interview follows.
MediaNama: We have seen a real growth of your service in the world and in India. Zoom recently acquired Keybase to implement end-to-end encryption for some customers. Why is it only being offered to enterprise customers and schools? Will you also offer it to Pro users who aren’t paying enough for an Enterprise tier?
We did acquire Keybase for end-to-end encryption. But we need to understand what we mean by end-to-end encryption. That’s where everything hinges. Were Zoom meetings not encrypted to begin with? They were very well encrypted, and in one of the best possible formats in the world at that point of time. It was industry best at that time too probably.
What we need to understand is Zoom is not a one-to-one video calling application. It’s a unified communication and collaboration platform. What that means is that in a communication platform you need to have various formats of communication or collaboration coming in. You need to have users from different formats, devices and applications to be permitted to come in.
Before we acquired Keybase, we announced that we were going to go heavier with 256 bit GCM encryption. Before then if you were using Zoom on a laptop or mobile phone, your meetings were encrypted, period. They were encrypted with 256 bit encryption. When you are using a phone to call in — and since we are a unified collaboration platform we have to allow that — in that case, we are saying that it’s not end-to-end encrypted. A voice call cannot be encrypted.
Similarly if you are joining Zoom from different devices, different video conferencing devices or applications, that’s where the encryption format may change. So till the time you’re using Zoom applications on your laptop or phone or Zoom Room, you are absolutely encrypted.
What we’re doing is we are going one step ahead and offering end-to-end encryption for all those users who need it for highly confidential or top secret discussions where they don’t want any other device or format of communication to log into those meetings. When a customer is using end-to-end encryption, they will have a lot of restrictions on the kind of device or application that can connect to the platform. That’s the basic difference.
Zoom meetings were already encrypted. We have gone beyond with Zoom 5.0, with GCM encryption that other top players don’t have.
MediaNama: If you look at the situation with Zoom, it was claiming that it was end-to-end encrypted when it was not. So you can hardly say that this was the best encryption in place, and it has been widely acknowledged that this was a false claim.
Yes, we went on the record and publicly mentioned the fact that this was a miscommunication from our side. It’s not a question of not being the best encryption format available, it was the best encryption format available then, and it remains so. The miscommunication was that it was end-to-end encrypted. If you are using Zoom’s apps to login from laptop or mobile device, they were always encrypted in the best possible format. Most of the players today probably aren’t on 256 bit GCM, which we use.
So yes, there was a miscommunication, when we claimed it was end-to-end encrypted, which has been honestly put forward on our blog. We don’t try to hide anything on that front.
MediaNama: End-to-end encryption necessarily means that Zoom will have less visibility into calls. How will you balance that problem with content moderation, especially for schools and educational institutions?
We don’t moderate the content anyway. We don’t have any access to the information that is being shared on our platform. Even if we wanted to, we couldn’t check what’s shared on our platform, it’s all encrypted. When it comes to the security of children or schools, let’s say someone has shared inappropriate content on the platform; any law enforcement agency in India can send us a request and we have a process where team puts together the requisite information on that person, including login details and IP address, and we share that with law enforcement.
That is in line with the requirements of our government and of the guidelines of the constitution. That can be shared, and the offender can be brought to the book.
MediaNama: Are you seeing these requests coming in more regularly from India?
It’s a catch-22 situation, to be honest. If you look at what’s been happening, needless to say, cybercrime has gone up by 600%. So yes, there’s a threat. If you look at the particular incidents like zoombombing, they have been pranks by known people. In schools’ cases, it’s been the kids who have themselves shared the meeting details with other students from other schools and asked them to join the meeting.
So we always tell schools and teachers to be cautious, because it’s very easy to go to the cybercrime police and report the offence; and we would be happy to comply; but the issue is, when it comes to the child who played this prank — and I’m sure you would have done pranks where you went to other classes; I used to do that — it’s the same scenario. We just need to educate our children and caution them as to why they shouldn’t be sharing meeting details. And if it’s a real offence, we need to follow the law.
Teachers are also a little bit wary because when there are intrusions they realize that this is being done as a prank by some other child or something and going to cyber crime police may result in a lot of problems. But at Zoom, we have given controls the teacher, who can expel the known offender, and are also complying with local rules and regulations by giving the requisite details as the need may be.
We have in fact brought in one more feature on our platform to report users. The teacher or host of the classroom can immediately report a user and we can block that ID or prevent it from logging in again if it is really found to be inappropriate.
MediaNama: We’ve had the Home Ministry advisory from CyCord that says Zoom is not safe for professional or government use. There is a Supreme Court case as well going on to ban Zoom in India. How are you working on a policy front to reassure the government and users?
We need to take one step back. If you go into the MHA advisory in totality — the first advisory on 12th March, which was pretty fair, talked about Zoom features and functionalities and how to safeguard [privacy], and it was revised on 16th April.
This advisory is based on two certain advisories from CERT-in, which is the actual regulatory body that looks after the Indian cyberspace and software and so on. The functionality of CERTs across the world is to report on platform vulnerabilities and safeguard users.
Both the advisories highlighted in MHA’s advisories do not state that Zoom is safe to use. The CERT advisories in particular say that these are the vulnerabilities and this is the fix, to upgrade to the latest version of the app. That is a standard CERT practice for any application. You’ll find thousands of such advisories for all applications. The other advisory is talking about best practices, how to use features and functionalities to safeguard privacy, etc.
The MHA advisory is, I would say, factually incorrect. But we are sharing all the details. We are working with MHA and MEITY to support them in case of any misinformation they have. We are working with them to share all requisite information about our organization as well as our platform and technology. It has already been shared, in fact. And we are sure that they will take the right decision.
MediaNama: And what would that decision look like? Would it be a withdrawal of that advisory?
Yes, of course. We would expect them to be fair. We want them to communicate the facts as laid out in the CERT advisories. If you look at the CERT advisory of 29th May, it clearly talks about Zoom 5.0 and the security and upgraded features. So we just want MHA to communicate facts in the market.
MediaNama: On end-to-end encryption, do you plan on making it available to Pro users as well, who are paying but don’t have enterprise plans?
It’s a little bit nascent right now. We have put our white paper out seeking comment. As far as our products are concerned, whether it’s a free or business user, the security offered is the same. If you go and buy a car, the costlier car you buy, the more airbags you’ll get.
The basic security is the same, you get the same security features and functions. But for paid users, there are additional features for administration, which are equivalent to the additional airbags for security. That will come for paying users.
End-to-end encryption will be available to all paid users if I can remember correctly; but it would be too early for me to get into the details. Our engineering team is still working on it, based on which we will have the final plans.
MediaNama: Is there a plan to improve mechanisms to restrict access to Zoom meetings, like additional authentication apart from a meeting ID and password?
There are multiple ways of logging in to a meeting. It’s a fine line between ease of use and making the product more complex and heavy. We want our users to have the same, simple, easy-to-use kind of functionality and feature while making it more robust and security-dependent. As of now there are multiple options of having a password sent out separately or embedding it in the URL; and send it separately in a calendar invite.
As we continue ahead there will be more things. We also have a single-sign-on for our paid users. You don’t need to sign in separately for your Zoom meeting. So if I get a Zoom meeting from my internal meeting, I’m already signed on. Similarly my fellow colleagues would be signed on. That is an additional level of security.
Similarly we have a domain lock feature, which some of our schools are using to a very great extent. They realize it’s one of the best features, where you can actually restrict the participants from joining the meeting to having an email address with their domain. So outside users wouldn’t be able to join those meetings. We have seen a reduction of zoombombing in these cases to almost nil.
There are a lot of these tools that we are already using for better authentication and we will continue to build on them.
MediaNama: It almost seems as if there is a differential level of privacy and security as you go up the tiers. It’s almost sounding as if you have to pay more for better privacy. Is that the kind of thinking we should see in an app that has received this kind of scale? Why should we have to pay more for more security and privacy?
When you talk about security, yes, security features are additional. As I said, the basic security features like end-to-end encryption, username and password, are the same across all the user models, whether you’re using a free or premium account.
What differs the higher you go, is the additional portal capabilities or additional administration and domain capabilities which cannot be provided on a freemium model anyways. In those models you have a public Gmail ID, for instance, so you can’t have that feature in the first place.
But the basic security features like usernames and passwords are all common [across different tiers]. In fact, for K-12 schools, we have privacy rules that are different. When a school or student signs, there is a particular permission that is required for a student to come on board, without which we don’t let them join.
MediaNama: End to end encryption is only being offered to enterprise customers and schools. Why not to everyone? WhatsApp calls allow end to end encryption for everyone.
I think we already answered that. Because we are not WhatsApp. We are not a one-to-one calling app, we are a collaboration platform.
MediaNama: Understood. But why isn’t end-to-end encryption offered to all users? That’s a baseline security norm.
If you are on a Zoom client on mobile or PC, and the other person is too, your calls are encrypted. It’s an end-to-end encryption.
MediaNama: So they’re end-to-end encrypted, and not just encrypted?
So client to client meetings are all entirely encrypted; so you can say it is end-to-end encrypted. It is not end-to-end encryption when you bring in an additional format of communication, like a phone or some other formats. As long as everyone is using a Zoom client on any device, it is end-to-end encrypted. That’s the clarity on it I can offer you.
[Note: Alex Stamos, who is an outside advisor for Zoom on security issues, told MediaNama that this claim by Raje was incorrect. “He was mistaken and that is not Zoom’s position,” Stamos said. “While content is encrypted between participants, the keys are created and held on Zoom’s servers and are used by those servers when needed (such as to allow for phone bridges) and this does not meet the definition of end-to-end encryption. Zoom is working on true end-to-end, which will be implemented in a special meeting type where certain features [are] to be disabled.”]
MediaNama: The Personal Data Protection Bill is in committee right now. It has protections in place for minors, which includes age verification, guardian consent, and rules against tracking and advertising. Do you think your product is ready to comply with the requirements set out in the latest draft?
Two things on that. One is the data protection and the second is the data localisation.
We are compliant with that even today. As far as certain other rules that are coming in that are in the drafting stage. We are waiting for the policy to be put out in the open, and we will then be able to comment on what the facts are and how far we are compliant.
Whatever the state might be, we will ensure that we are compliant. We are compliant today, and we will remain compliant tomorrow, even when some new laws come into the picture.
MediaNama: Has Zoom faced any unique networking issues in terms of connectivity with internet service providers?
Technically, I don’t think so. Because we also partner with a lot of telcos. We partner with Airtel for selling our services; we partner with Tata Communications for hosting of our services — we are hosted on their data centres in Mumbai and Hyderabad.
If you ask me network related challenges, no; but there are certain other issues, like bandwidth fluctuations and [unclear] trips, remote area connectivity issues, and so on.
Our product works well with low bandwidth as well, so that’s one thing our users really love about the service.
MediaNama: How big has Zoom’s growth in India been? How many schools are using the service?
That’s a tough one to be honest. We haven’t done the fact finding. To be honest with you, I’ve been working 18-20 hours a day, so it’s difficult to have the numbers offhand. I received requests from 8-10 schools yesterday which were looking forward to move to Zoom. But we haven’t sat down and done the bifurcation. Globally, we have announced that we have 100,000 schools; but how many in India, how many in Singapore… that’s a bit hard to answer at this stage.
Once we have settled down and life normalises a little bit, I may have an answer for you about that.
MediaNama: How about overall users and the increase in that? Is that something you have a rough idea on?
We haven’t done a bifurcation country-wise for any country, forget about India. We have 300 million participants a day. You can imagine the pressure we’re under because of this growth. We’re just trying to survive at this stage.
MediaNama: All free calls in India are routed through servers in the US. The call we’re on right now is being routed through Mumbai, I’m guessing on the Tata datacentre you mentioned earlier. Do you expect to increase the bandwidth and connectivity in India to route free calls through Indian servers as well, or do you expect the status quo of routing free users through the US to continue? The latency for Indian servers is significantly lower by a factor of ten and more reliable.
Well, not really — you can technically say that the time of response can be slightly higher on US servers. But the way our network is functioning, you won’t realise that amount of lag, because it’s less than five seconds that we take a response from a particular datacentre and respond back [sic].
It’s not based on the network requirements or increasing the bandwidth in India that the provisioning is done. Free users typically have a lot of Gmail and Yahoo IDs as well… But who knows, we might route them through India as well in the near future.
MediaNama: Do you plan on doing rupees pricing in India? Euro pricing exists in the EU, and some other currencies are supported in some countries.
Yes. And that is coming up. That is definitely in the plans. It is also available through our partners [like Airtel] who sell in INR.
MediaNama: Do you expect a country-specific pricing in India?
Yes, we do. We should have it in a month’s time. The COVID situation delayed it unnecessarily, but it would have been up and live, probably a month or two back.
MediaNama: So we can expect lower pricing on some of the tiers?
[laughter] That is speculative, but I would say our pricing is global. If you look at the base package we have, it is $14.99, works out to about Rs 1,100, which is less than 40 bucks a day. Probably two cups of tea a day. That is economical when you can do unlimited meetings for the month.
We are quite economical already, and we feel that we’re well placed. But you’ll have to hold on to see what we do for India.
MediaNama: All digital products in India are subject to an 18% GST. Zoom has tax-related documents for Singapore and Australia, but we don’t see such documentation for India. We don’t have a GST line item on Indian invoices. Is Zoom paying this tax in India?
If you buy through the partners, GST and all relevant taxes are paid by them; they wouldn’t sell anything without complying with Indian rules and regulations. If you buy online, what happens is that the invoices are net of taxes. There is a WBS-9 form which comes as a link to you in the invoice itself, it’s a small blue link, and you can select that option.
MediaNama: So right now, that burden of paying the tax is on the customer?
Yes. But when it is through a partner in India, the partner pays the taxes.
MediaNama: You have JioConference coming up, and a host of other conferencing apps coming up. So what future do you see for yourself in India?
We are not a video conferencing or video calling app, we are a collaboration application, and we have a host of services. We’ve got services like Zoom Rooms, huddle rooms, digital signage, API integrations and so on. If you buy some large video conferencing devices and plonk them in your offices, you can straight away start using Zoom Rooms. You can share your content from your laptop without even connecting any wires to your laptop. Isn’t that amazing?
You can schedule your Zoom Room meetings, find other Zoom Rooms on the same floor through a digital interface, there’s a lot of applications and a lot of products that are yet to come to India. We are working on that and should be launching a few more products shortly.
We provide end-to-end collaboration services all the way from desktops and laptops to video conferencing rooms; if someone needs a multi screen stadium kind of set up, or an amphitheatre, we can service those requirements. Video conferencing is just one component, although it is a significant component.
Update (June 10): Added clarification on end-to-end encryption by John Stamos.