Zoom has always had strong security precautions and encryption shouldn’t be viewed as a binary issue, the company’s APAC head Michael Chetner said.
Last month, Zoom was criticised for “misleading” claims around end-to-end encryption, with revelations that the platform did not in fact offer this level of protection, despite appearing to claim so in its white paper and on its website.
The tech company has since introduced the industry standard encryption of AES-GCM with 256-bit keys and plans to soon offer full end-to-end encryption, releasing a draft design of the concept this week.
The video communication giant also recently acquired Keybase, a secure messaging and file-sharing service.
The startup’s team will now be used to develop Zoom’s plan to introduce end-to-end encryption to its platform, a major plank of its ongoing 90-day plan to address security and privacy issues in the wake of an explosion in users due to the COVID-19 pandemic.
Despite the criticisms, Zoom already had a good record in security, Chetner said.
“Encryption is not binary – there’s a perception that it was either encryption or no encryption," he told Information Age.
"Zoom was always encrypted.
“This is around what the level of encryption is and what level of security is required by our customers,” he said.
“In this process we’ve been able to improve that encryption to a higher level, but then again we’ll be adding that end-to-end encryption opportunity very, very soon.”
Zoom has been the subject of a high-level of scrutiny and criticism since its usage skyrocketed due to a large amount of the world’s workforce being forced to work from home, with a number of security issues and vulnerabilities identified.
Michael Chetner, head of Zoom APAC. Photo: Supplied
Before the COVID-19 pandemic hit, Zoom had about 10 million daily participants, Chetner said.
In April this number jumped to 200 million and is now sitting at about 300 million.
“We didn’t plan for that,” he said. “The best thing about being a pure cloud service is that you are able to scale really quickly with the use of a global network.
“We also said at the start of the crisis that we wanted to do the right thing. One of the things we’ve been able to respond with is a lot of the user base security settings that we’re making far more explicit.”
The company has embarked on a 90-day plan to address many of these, with a number of set milestones and commitments. While Zoom has been previously used primarily by large companies that have been able to conduct their own security testing, the onus for this has now fallen back on the company itself, Chetner said.
“Now a lot of that due diligence is removed,” he said. “We were reliant upon a lot of that support from our customers. A lot of the updates like configurations, default settings, waiting rooms and passwords were in the product already but not front and centre, which is critical when we have this adoption that is now social and consumer.
“If anything, this review allows us to look back and put in perspective what else we can do knowing what we know now, and to provide a safe and secure environment for our users.
“We’ve always been about offering an opportunity for people to stay connected and for businesses to stay operating. If we’ve been able to keep the world ticking over, then that’s a success.”
The recent acquisition of Keybase is a big step towards this goal, Chetner said.
“The Keybase acquisition really has the vision of providing the end-to-end encrypted meeting mode for all of our paid accounts,” Chetner said.
“The acquisition is really around bringing together some subject matter expertise and adding more firepower to our engineering team.”
Keybase co-founder Max Krohn will now lead Zoom’s security engineering team, reporting directly to the company’s CEO.
The company is now set to consult widely on its draft design for end-to-end encryption.
“We want to solicit public feedback for those who are interested and keen to understand what we’re doing,” Chetner said.