Zoom’s security nightmare just got worse after its recent announcement that end-to-end encryption would be for paid users only. But here’s the reality….
Let’s face it—there aren’t many people who haven’t used Zoom over the past few months during the COVID-19 crisis.
It’s no surprise that Zoom’s seen such a massive a surge in users, but with this rise, the video chat app has also become a target for Zoom bombers, privacy issues have come to the foreground, and security researchers have unveiled some pretty serious vulnerabilities.
During this time, Zoom has become a bit like marmite: You either love it as it’s a great feature-rich service that is clearly trying to improve under huge strain—or you hate it because you think its security faults are intentional and unfixable. “Zoom is malware,” some security industry experts say.
It’s fair to say this situation has been a nightmare for Zoom. It’s come under pressure to stop Zoom bombers—a recent incident saw a church’s bible class hijacked by uninvited guests sharing child pornography—and now people are seriously angry after CEO Eric Yuan confirmed on its earnings call that end-to-end encryption will be for paid users only.
At first, this sounds insane. Why make the gold standard of encryption—which means no one can access your meetings or chats, even Zoom or law enforcement—only available to those who pay? Why can people get this for free on Apple’s FaceTime, and Signal, but not on Zoom?
Delving deeper into Zoom’s end-to-end encryption decision
But actually, if you delve deeper, Zoom’s reasoning behind this is clearer. First, you lose a lot of functionality if you make Zoom end-to-end encrypted. There are no more dial ins to calls, so you can’t join by phone, and you also lose features like cloud recordings and streaming to YouTube.
Plus, remember that Zoom’s main competitors don’t have end-to-end encryption: Microsoft Teams, Blue Jeans, Google Meet, Cisco Webex (although Webex has e2e for some enterprise users too).
Then there’s the big issue—Zoom bombing. This affliction affects other services such as Houseparty, but none have become a target for this as much as Zoom. Zoom bombing incidents are also pretty high profile; they don’t make Zoom look good and law enforcement is often involved, especially when it comes to child exploitation.
The video conferencing service has tried to stop Zoom bombing through some major security upgrades and its “Report a User” feature, but allowing criminals such as those sharing abusive images to further hide on the platform is just not feasible.
“This creates a difficult balancing act for Zoom, which is trying to both improve the privacy guarantees it can provide while reducing the human impact of the abuse of its product.”
Here’s the reality
Another defender of Zoom’s decision to only offer end-to-end encryption to paid users is Ben Thompson, analyst and author of business blog Stratechery, which provides a good explanation of the Zoom earnings call comments. Yuan doesn’t want paid users to pay for end-to-end encryption; he thinks it should be available for everyone, but the platform’s functionality will also be killed by it. It’s a trade-off.
In fact, it seems that much of Zoom’s earnings call end-to-end encryption discussion has been misinterpreted as “Zoom wants to share your chats with the FBI.”
So here’s the reality: Zoom has a PR problem that began as security and privacy issues hit during lockdown and as it tries to pick up the pieces, it’s in danger of getting stuck in a nightmare it can’t escape.
So after a brief stay, the end-to-end encryption debate has brought out the Zoom haters once again. How Zoom reacts now is crucial—the firm needs to be clearer in explaining what it’s doing and why, or people’s trust will be eroded even more.
Update June 9 at 11:30pm PT
In response to this article, Zoom sent me a statement which reads:
“Zoom has engaged with child safety advocates, civil liberties organizations, encryption experts, and law enforcement to incorporate their feedback into our plan. Finding the perfect balance is challenging. We always strive to do the right thing.”
Miriam hands over the topics our writers work on and assures completeness and quality of submissions from Security Forward’s operations perspective.