Security Experts:

Zoom Not Offering End-to-End Encryption to Free Users to Help Law Enforcement

Zoom’s chief executive revealed on Tuesday that free users will not be offered end-to-end encryption as the company wants to assist the FBI and local law enforcement in their investigations.

Zoom’s popularity has increased significantly since the start of the COVID-19 pandemic due to many people being forced to work and study from home. This popularity has also attracted the attention of privacy and security experts, who have identified some serious issues in the video conferencing service, as well as the attention of bad actors who have started abusing the platform.

Zoom has promised to take action and it has already started implementing measures that would help it address security and privacy concerns.

One of these measures is related to end-to-end encryption. Zoom does encrypt communications between clients and its servers, but it currently does not offer true end-to-end encryption, which would prevent even the company itself from gaining access to the content of customers’ communications.Zoom end-to-end encryption

Last month, the company published a detailed draft of the cryptographic design it plans on using for its upcoming end-to-end encryption feature, which it said would be offered to paying customers and schools.

During a conference call following the release of financial results for the first quarter of fiscal year 2021, Zoom CEO Eric Yuan told investors that they do not want to offer this kind of protection to free users, which are more likely to abuse the platform, as the company wants to work with the FBI and local law enforcement if people use Zoom for “bad purposes.”

In a long thread on Twitter, Alex Stamos, who was hired by Zoom as an outside advisor on cybersecurity, shared some details on the company’s plans for end-to-end encryption, which he says “are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.”

Stamos, who in the past worked as CSO at Yahoo and Facebook, said Zoom does not proactively monitor meeting content and it does not plan on doing so in the future. He says the vast majority of abuse comes from people who use Zoom for free and the company plans on taking measures that would “create friction and reduce harm.”

Stamos pointed out that if end-to-end encryption is enabled, Zoom’s Trust and Safety team will not be able to enter a meeting they believe to be abusive — this is now possible without end-to-end encryption — and there will be no backdoor to facilitate such access. Stamos also noted that some meeting features are also incompatible with end-to-end encryption. This is why end-to-end encryption will be opt-in “for the foreseeable future.”

“So we have to design the system to securely allow hosts to opt-into an E2E meeting and to carefully communicate the current security guarantees to hosts and attendees,” Stamos said.

Zoom’s revenue for the first quarter was $328 million and the company expects to generate up to $1.8 billion this fiscal year, with an estimated profit of up to $380 million.

Related: Trojanized Zoom Apps Target Remote Workers

Related: Zoom Agrees to Step Up Security After New York Probe

Related: Zoom Credentials Database Available on Dark Web

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.