The Zoom videoconferencing platform has announced that starting next week it will begin rolling out long-awaited end-to-end encryption (E2EE) to users. The feature will be released as a technical preview, with the company proactively seeking the feedback of its userbase over the first 30 days after the launch.
“We’re pleased to roll out Phase 1 of 4 of our E2EE offering, which provides robust protections to help prevent the interception of decryption keys that could be used to monitor meeting content,” said the company when announcing the new feature. “End-to-end encryption is another stride toward making Zoom the most secure communications platform in the world ... This phase of our E2EE offering provides the same security as existing end-to-end-encrypted messaging platforms, but with the video quality and scale that has made Zoom the communications solution of choice for hundreds of millions of people and the world’s largest enterprises,” Zoom CEO Eric S. Yuan was quoted as saying.
Zoom first shared its plans to launch end-to-end encryption in May, however, the news was met with mixed reactions due to the feature being announced for paying customers only. The company amended its decision in June and said that it would release the feature to all users.
The new E2EE feature is built on the same Galois/Counter Mode (GCM) encryption Zoom already uses to encrypt all its meetings, with the key difference being in how the encryption keys are distributed and stored. “In typical meetings, Zoom’s cloud generates encryption keys and distributes them to meeting participants using Zoom apps as they join. With Zoom’s E2EE, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants. Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents,” the company explained.
RELATED READING: Zoom security: Getting the settings right
The E2EE feature can be enabled across Zoom’s videoconferencing services – i.e. its desktop client, mobile apps, or Zoom room – and can host up to 200 participants in E2EE meetings. However, Zoom warns that once E2EE is enabled, use of other features will be restricted, including join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions.
To start using E2E encryption, users will have to activate it in their account settings and then opt-in on a meeting-to-meeting basis – meaning that all participants will have to have the setting enabled if they want to join an E2EE meeting. Non-paying users who’d like to gain access to E2E encryption will have to go through a one-time verification process that will require them to provide additional information such as their phone numbers.
A green shield logo with a padlock will appear in the upper left corner of the client to alert the users that the feature has been turned on. Additionally, to confirm the security of the connection, the host’s code will be displayed in the participants' clients; the host can then read it out aloud and the meeting attendees can check whether the codes match.
The platform also expects to release better identity management and E2EE single-sign-on integration during Phase 2 of its E2EE offering with the release date “tentatively” set for 2021.
This is just the latest security and privacy feature to be launched as part of Zoom’s effort to mitigate concerns after its privacy and security shortcomings came to light amid the platform’s rise to stardom largely occasioned by the recent shift to remote work. Last month, the company rolled out support for two-factor authentication across its web, desktop, and mobile applications.