After weeks of criticism over its inflated encryption claims, videoconferencing platform Zoom announced in early April that it would develop full end-to-end encryption for video and audio calls made through the service. At the end of May, though, the company said that this protection would only be available to paying customers—free accounts would be out of luck. But on Wednesday, the company walked this tiered system back, pledging to provide end-to-end encryption to any user.
Zoom said a preliminary beta of its end-to-end encryption feature would begin in July. The protection will be off by default, and hosts will have the option to enable it every time they create a meeting. Corporate administrators will be able to enable or disable the feature for an entire institution or groups of users. It’s opt-in, Zoom says, because end-to-end encryption won’t be compatible with all conferencing equipment or participants joining from regular phones. Crucially, to enable end-to-end encryption, free users will need to submit and verify an identifying piece of data, like a phone number. Paying users will have already entered identifying info through their sign-up process.
“Today, Zoom released an updated E2EE design on GitHub. We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform,” Zoom CEO Eric Yuan wrote in a blog post. “This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe—free and paid—while maintaining the ability to prevent and fight abuse on our platform.”
“I wish they had done it in the first place, but better late than never.”
Seny Kamara, Brown University
When two or more devices communicate over the internet, end-to-end encryption allows data to move back and forth between them in a form that is indecipherable to anyone other than the participants. This protects the data from potential eavesdroppers like governments, internet service providers, or communication platforms themselves. Access to end-to-end encryption has emerged as a human rights issue, but governments have increasingly moved to limit deployment of true end-to-end encryption, because they say it hinders law enforcement efforts.
In promising to add end-to-end encryption, Zoom waded into this debate. And the company seemed wary of the stakes in its initial statements on the subject. Yuan said in a company earnings call that Zoom wouldn’t extend end-to-end encryption to free users, “because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose.”
A company spokesperson added on June 3 that “Zoom has engaged with child safety advocates, civil liberties organizations, encryption experts, and law enforcement to incorporate their feedback into our plan. Finding the perfect balance is challenging.”
Zoom claimed at the time that the big limitation was its inability to identify free users. “Free users sign up with an email address, which does not provide enough information to verify identity,” the same spokesperson said at the time. But on Wednesday, Zoom seemed to have solved the conundrum by requiring unpaid accounts to submit a phone number or other identifier before using end-to-end encryption.
After Facebook announced that it would expand end-to-end encryption from its WhatsApp messaging platform to all of its chat apps, including Messenger and Instagram messaging, the company started dealing with intense pressure from the United States Department of Justice about the degree to which this might impede investigations into child sexual abuse and other crimes committed on the platforms. And the Justice Department has become increasingly anti-encryption overall in recent years, calling for tech companies to create so-called backdoors for law enforcement access. Now Zoom may end up in the crosshairs.
“This is a big victory for grassroots activists who fought hard to make sure that Zoom offers strong encryption to everyone, not just to their corporate clients and those who can pay,” says Evan Greer, deputy director of the digital rights organization Fight for the Future. “End-to-end encryption is one of the most important technologies keeping people safe online, and it’s essential for basic human rights. Companies should stand up for their users’ rights by refusing to enter into partnerships or build backdoors for law enforcement agencies.”