Zoom’s chief executive revealed on Tuesday that no end-to-end encryption will be offered to free users as the company wants to assist the FBI and local law enforcement in their investigations.
Since the start of the COVID-19 pandemic, the popularity of Zoom has increased considerably due to many people being forced to work and study from home. This popularity also attracted the attention of privacy and security experts, who identified some serious issues in the video conferencing service, as well as the attention of bad actors who began to abuse the platform.
Zoom has vowed to act and has already begun introducing steps to help resolve security and privacy issues.
One such measure relates to end-to-end encryption. Zoom does encrypt communications between clients and their servers, but it does not currently offer true end-to – end encryption, which would prevent even the company itself from accessing the content of customer communications.
The company published a detailed draft of the cryptographic design it plans to use for its upcoming end-to-end encryption feature last month, which it said would be offered to customers and schools paying for.
During a conference call following the release of financial results for the first quarter of fiscal year 2021, Zoom CEO Eric Yuan told investors that they do not want to offer this kind of protection to free users, who are more likely to abuse the platform as the company wants to work with the FBI and local law enforcement if people use Zoom for “bad purposes.”
Some facts on Zoom’s current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.
The E2E design is available here:https://t.co/beLdeAwMSM
— Alex Stamos (@alexstamos) June 3, 2020
Alex Stamos, who was hired by Zoom as an external cybersecurity advisor in a long thread on Twitter, shared some details about the company’s plans for end-to – end encryption, which he says is “complicated by the product requirements for a company conference product and some legitimate security issues.”
Stamos, who worked as CSO at Yahoo and Facebook in the past, said Zoom is not proactively monitoring the content of the meeting, and does not plan to do so in the future. He says the vast majority of abuse comes from people using Zoom for free and the company is planning to take action that would “create friction and reduce damage.”
Stamos pointed out that if end-to – end encryption is enabled, the Trust and Safety team at Zoom will not be able to enter a meeting they believe to be abusive — this is now possible without end-to-end encryption – and there will be no backdoor to facilitate such access. Stamos also noted that certain features of the meeting are incompatible with end-to-end encryption. That is why end-to-end encryption will be “for the foreseeable future” opt-in.
“So we need to design the system to securely allow hosts to opt-in to an E2E meeting and carefully communicate to hosts and attendants the current security guarantees,” Stamos said.
Zoom’s first-quarter revenue was $328 million and the company expects this fiscal year to generate up to $1.8 billion, with an estimated profit of up to $380 million.
