From the beginning of the COVID-19 pandemic, Zoom became an essential tool for coworkers and friends alike. As the platform exploded in popularity, questions about its security grew, as well.
The company claimed to have end-to-end encryption, when in reality it did not. SecureWorld has previously covered this topic and other security concerns that came to light as the company became both a savior and a suspect in the race to remote work. These concerns include many examples of Zoom-bombing, consumer watchdog groups suing over privacy concerns, and the company apologizing for some U.S. and Canadian Zoom calls being routed through servers in China.
To address these concerns, Zoom has pivoted quickly, and many CISOs came to the company's defense. Now the company says it is ready to roll out true end-to-end encryption.
What does Zoom mean by "end to end encryption" this time?
Zoom says its end-to-end encryption (E2EE) will create one significant change to increase privacy and security:
"To be clear, Zoom's E2EE uses the same powerful GCM encryption you get now in a Zoom meeting. The only difference is where those encryption keys live.
In typical meetings, Zoom's cloud generates encryption keys and distributes them to meeting participants using Zoom apps as they join. With Zoom's E2EE, the meeting's host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants. Zoom's servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents."
Zoom CEO Eric Yuan says this leaves no doubt that your meetings are secure.
"This phase of our E2EE offering provides the same security as existing end-to-end-encrypted messaging platforms, but with the video quality and scale that has made Zoom the communications solution of choice for hundreds of millions of people and the world's largest enterprises.'"
Zoom will role out E2EE during the third week of October, 2020.
How do you enable Zoom end to end encryption (E2EE)?
Many Zoom users will want to use E2EE, so it is important to know how to actually do so. How do I enable E2EE in Zoom?
"Hosts can enable the setting for E2EE at the account, group, and user level and can be locked at the account or group level. All participants must have the setting enabled to join an E2EE meeting. In Phase 1, all meeting participants must join from the Zoom desktop client, mobile app, or Zoom Rooms."
How can I tell if encryption (E2EE) is on in Zoom?
So how can you tell end to end encryption is activated in your zoom meeting? The company created a visual clue:
"Participants can look for a green shield logo in the upper left corner of their meeting screen with a padlock in the middle to indicate their meeting is using E2EE. It looks similar to our GCM encryption symbol, but the checkmark is replaced with a lock."
Does enabling encryption (E2EE) impact other features in Zoom?
"Enabling this version of Zoom's E2EE in your meetings disables certain features, including join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions."
So those are some key things to consider before enabling the true end to end encryption.
The good news is that if you want E2EE, you can have it.
Both free and paid Zoom accounts joining from Zoom's desktop client, mobile app, or a Zoom Room, can host or join an E2EE meeting.
For more on Zoom, privacy, and remote work, check out this podcast episode with cyber attorney Micahael Simon of XPAN Law Group.