Zoom has begun phase one of its end-to-end encryption rollout as the video communications giant continues efforts to improve privacy and security following a number of controversies.
All Zoom users – free or paid – can now host a meeting with up to 200 participants with end-to-end encryption on the platform, meaning the company cannot access any of the data it is hosting.
The company announced plans to roll out end-to-end encryption in May after it was criticised for claiming such protection was already in place when it was not.
The first phase will involve the encryption keys being generated and distributed by the meeting host rather than the Zoom server.
This means that Zoom’s servers become “oblivious relays and never see the encryption keys required to decrypt the meeting contents”.
“To be clear, Zoom’s end-to-end encryption uses the same powerful GCM encryption you get now in a Zoom meeting,” Zoom head of security engineering Max Krohn said in a blog post.
“The only difference is where those encryption keys live.
“In typical meetings, Zoom’s cloud generates encryption keys and distributes them to meeting participants using Zoom apps as they join.
“With Zoom’s end-to-end encryption, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants.”
Zoom CEO Eric Yuan said this phase brings Zoom into line with other existing communications platforms offering this level of encryption.
“End-to-end encryption is another stride toward making Zoom the most secure communications platform in the world,” Yuan said.
“This phase of our end-to-end encryption offering provides the same security as existing end-to-end encrypted messaging platforms, but with the video quality and scale that has made Zoom the communications solution of choice for hundreds of millions of people and the world’s largest enterprises.”
The new offering will be open for technical preview from this week, with Zoom “proactively soliciting” feedback from users over the next month.
To implement end-to-end encryption on Zoom, users must enable it on their account and then opt-in before each meeting.
For it to work during this phase, users will have to join a meeting using the Zoom desktop client, mobile app or Zoom Rooms.
Initially, using this encryption feature will disable other features, including join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat and meeting reactions.
Phase two of the plan, which is “tentatively roadmapped for 2021”, will see Zoom roll out improved identity management and end-to-end encryption SSO integration.
Zoom revealed its encryption plans in late May, with a draft design published for peer review on GitHub.
It had earlier come under fire for “misleading” claims around encryption, with a report finding that while Zoom had stated on its website and accompanying white paper that it supported end-to-end encryption for meetings, this was not actually the case.
The report found that at the time, Zoom was offering “transport encryption” instead, the same method used to secure HTTPS websites, with data encrypted between Zoom users and the servers but with the company still being able to read it.
The company later apologised for the confusion and acknowledged that there was a “discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it”.
Shortly after this, Zoom introduced the industry standard encryption of AES-GCM with 256--bit keys while it readied to introduce end-to-end encryption.
The company also earlier this year acquired Keybase, a secure messaging and file-sharing service.
