UPDATE: Oct. 27, 2020: Zoom made end-to-end encryption (E2EE) available globally, for paying and free Zoom users Monday. Available as technical preview, the feature uses 256-bit AES-GCM encryption, the same encryption used by default in meetings. Zoom is accepting user feedback on the feature for 30 days.
"When users enable E2EE for their meetings, nobody except each participant — not even Zoom’s meeting servers — has access to the encryption keys that are used to encrypt the meeting," according to the announcement.
To enable E2EE, meeting hosts generates encryption keys to distribute among up to 200 participants using public key cryptography. Zoom's cloud meeting servers "become oblivious relays and never see the encryption keys," the company said.
- Zoom is enabling end-to-end encryption across "all tiers of users" and launched its updated E2EE design on GitHub, CEO Eric Yuan said in a company blog post. The beta add-on will become available in July.
- Because E2EE disables some functions of the platform, including use of "traditional PSTN phone lines or SIP/H.323 hardware conference room systems," users can "toggle" the feature on and off depending on their meeting, according to Yuan.
- As E2EE is an optional feature, all Zoom users have the default encryption standard AES 256 GCM transport encryption. Account administrators have the ability to decide E2EE on account or group levels.
Zoom's security and privacy came under fire in March as the platform experienced widespread enterprise and consumer adoption. It began catering to two very different user bases and leaving a poor impression on potential customers, despite its competitors using similar technologies.
In the months since, Zoom agreed to implement further security guardrails with the expectation of regular code inspection, and giving hosts default access controls for privacy reasons. While Zoom absorbed most of the criticism for collecting meeting transcripts, other video platforms, including Cisco, Microsoft Teams and Google Hangouts were all noted to do some degree of transcript retention, according to an evaluation by Consumer Reports.
In consultation with civil liberty engineers, a newly-minted CISO council, and other privacy and security advocates, Zoom enabled E2EE "as an advanced add-on feature" for paying and non-paying customers.
The snowball effect of the last several months of remote work has resulted in organizations taking more steps to vet collaboration and communication platforms — tools traditionally viewed as candylike for employees — because they were bonus tools in an office environment.
"These are not the kinds of tools we focus a whole lot on before," said Bryan Ware, assistant director at the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) while speaking on a virtual panel last month.
Tools that are well over a decade old were not a security priority for CISA. The agency is more engaged with teleworking vendors and products to address risks and controls. "I think we'll be looking for new solutions for mid- and long-term to enable us" to be more secure and more confidence in teleworking over time, he said.
Eventually, Ware wants to provide organizations with documentation of CVEs and specific controls that are available (such as E2EE). The agency last issued interim guidance in April for teleworking tools.