Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Zoom Not Offering End-to-End Encryption to Free Users to Help Law Enforcement

Zoom’s chief executive revealed on Tuesday that free users will not be offered end-to-end encryption as the company wants to assist the FBI and local law enforcement in their investigations.

Zoom’s chief executive revealed on Tuesday that free users will not be offered end-to-end encryption as the company wants to assist the FBI and local law enforcement in their investigations.

Zoom’s popularity has increased significantly since the start of the COVID-19 pandemic due to many people being forced to work and study from home. This popularity has also attracted the attention of privacy and security experts, who have identified some serious issues in the video conferencing service, as well as the attention of bad actors who have started abusing the platform.

Zoom has promised to take action and it has already started implementing measures that would help it address security and privacy concerns.

One of these measures is related to end-to-end encryption. Zoom does encrypt communications between clients and its servers, but it currently does not offer true end-to-end encryption, which would prevent even the company itself from gaining access to the content of customers’ communications.Zoom end-to-end encryption

Last month, the company published a detailed draft of the cryptographic design it plans on using for its upcoming end-to-end encryption feature, which it said would be offered to paying customers and schools.

During a conference call following the release of financial results for the first quarter of fiscal year 2021, Zoom CEO Eric Yuan told investors that they do not want to offer this kind of protection to free users, which are more likely to abuse the platform, as the company wants to work with the FBI and local law enforcement if people use Zoom for “bad purposes.”

In a long thread on Twitter, Alex Stamos, who was hired by Zoom as an outside advisor on cybersecurity, shared some details on the company’s plans for end-to-end encryption, which he says “are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.”

Stamos, who in the past worked as CSO at Yahoo and Facebook, said Zoom does not proactively monitor meeting content and it does not plan on doing so in the future. He says the vast majority of abuse comes from people who use Zoom for free and the company plans on taking measures that would “create friction and reduce harm.”

Stamos pointed out that if end-to-end encryption is enabled, Zoom’s Trust and Safety team will not be able to enter a meeting they believe to be abusive — this is now possible without end-to-end encryption — and there will be no backdoor to facilitate such access. Stamos also noted that some meeting features are also incompatible with end-to-end encryption. This is why end-to-end encryption will be opt-in “for the foreseeable future.”

“So we have to design the system to securely allow hosts to opt-into an E2E meeting and to carefully communicate the current security guarantees to hosts and attendees,” Stamos said.

Zoom’s revenue for the first quarter was $328 million and the company expects to generate up to $1.8 billion this fiscal year, with an estimated profit of up to $380 million.

Related: Trojanized Zoom Apps Target Remote Workers

Related: Zoom Agrees to Step Up Security After New York Probe

Related: Zoom Credentials Database Available on Dark Web

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

M&A Tracker

The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Funding/M&A

More than 450 cybersecurity-related mergers and acquisitions were announced in 2022, according to an analysis conducted by SecurityWeek