Zoom to reinforce encryption of video calls for paid clients and schools

Zoom plans to reinforce encryption of video calls hosted by paying clients and institutions like schools, but not by users of its free consumer accounts, a company official told on Friday.

The company, whose business has roared with the coronavirus pandemic, discussed the move on a call with civil liberties groups and child-sex abuse fighters on Thursday, and Zoom security consultant Alex Stamos confirmed about the same on Friday.

Stamos said in an interview, the plan was subject to change and it was not yet clear which, nonprofits or other users, such as political dissidents, might be eligible for accounts allowing more secure video meetings.

He added that a combination of technological, safety and business factors are considered into the plan, which got mixed reactions from privacy advocates.

During the pandemic, Zoom has attracted millions of free and paying customers in part because users could join a meeting – nowadays, this happens 300 million times a day – even without getting registered. But troublemakers are getting opportunities to slip into meetings, sometimes pretending to be invitees.

Gennie Gebhart, a researcher with the Electronic Frontier Foundation, said she hoped Zoom would change course and offer protected video more widely. But Jon Callas, a technology fellow of the American Civil Liberties Union, said the strategy seemed a reasonable compromise. Safety experts and law enforcement have warned that sexual predators and other criminals are progressively using encrypted communications to avoid detection.

"Those of us who are doing secure communication believe we need to do things about the real horrible stuff," said Callas, who earlier sold paid encryption services.

"Charging money for end-to-end encryption is a way to get rid of the riff-raff," including spammers and other malicious users who misuse free services.

After a series of security failures led some institutions to ban its use, Zoom hired Stamos and other experts. Last week Zoom released a technical paper on its encryption plans, without mentioning how widely they would reach.

"At the same time that Zoom is trying to improve security, they are also significantly upgrading their trust and safety," said Stamos, a former chief security officer at Facebook. "The CEO is looking at different arguments. The current plan is paid customers plus enterprise accounts where the company knows who they are."

Full encryption for every meeting would leave Zoom's trust and safety team unable to add itself as a participant in gatherings to tackle abuse in real time, Stamos said.

An end-to-end model, which means no one but the participants and their devices can see and hear what is happening, would also have to exclude people who call in from a telephone line.

From a business perspective, it is hard to earn money when offering a sophisticated and expensive encryption service for free. Facebook is planning to encrypt Messenger fully, but it receives enormous sums from its other services.

Other providers of encrypted communication either charge business users or act as nonprofits, such as the makers of Signal.

Zoom is also dealing with regulators such as the US Federal Trade Commission, which is looking into its previous claims about encryption that have been criticized as exaggerated or false, said Stamos and another person familiar with the matter.

With the Justice Department and some members of Congress condemning secure encryption, Zoom could draw unwanted new attention through a significant expansion in that area, privacy experts said. An outside spokesman for Zoom, Nate Johnson, said its encryption was "a work in progress," including the engineering design and "which customers it would apply to."