Zoom’s Adding End-to-End Encryption For Real This Time, But It Will Cost You

Zoom’s Adding End-to-End Encryption For Real This Time, But It Will Cost You

Zoom, the video conferencing platform du jour while nearly everyone’s stuck inside under shelter-in-place orders, has been gradually beefing up its security as part of a 90-day plan after a wave of disturbing troll attacks drew international ire. On Thursday the company announced its latest step: finally implementing the kind of encryption protocols that it led investors and users to believe it already supported.

With the acquisition of Keybase, a New York-based startup specializing in encrypted messaging and cloud services, Zoom will finally be able to make good on its claims of offering end-to-end encryption.

“We are excited to integrate Keybase’s team into the Zoom family to help us build end-to-end encryption that can reach current Zoom scalability,” CEO Eric Yuan said in a Zoom blog post on Thursday.

As reported by the Intercept in March, security experts found that the platform’s home-baked encryption system fell short of what it was marketed as, and instead qualified as transport-layer encryption since it still allowed Zoom’s servers to see certain content from the client end. With true end-to-end encryption, à la apps like WhatsApp and Signal, only the people communicating with one another can see this content, and it remains inaccessible to whatever company’s behind the intermediary server they’re using. Zoom’s shareholders have since sued the company over allegations of fraud regarding this discrepancy.

This news comes with plenty of stipulations, however. Once in place, end-to-end encryption will only be available for users with paid Zoom plans (which start at $US14.99 ($23) per month), meaning anyone using Zoom’s free service won’t have access. If a meeting’s host has enabled this feature, participants will be barred from joining by phone and cloud-based recording will be disabled. In Thursday’s blog post, Yuan emphasised that the feature will not store the encryption key on Zoom’s servers, so the company will not be able to see any part of the call.

“We believe this will provide equivalent or better security than existing consumer end-to-end encrypted messaging platforms, but with the video quality and scale that has made Zoom the choice of over 300 million daily meeting participants, including those at some of the world’s largest enterprises,” he wrote.

The company also announced that it plans to publish a “detailed draft cryptographic design” on May 22 as it continues to roll out its 90-day security plan.