- Video conferencing platform Zoom made end-to-end encryption (E2EE) available globally, for paying and free Zoom users this week. Zoom is accepting user feedback on the feature for 30 days.
- "When users enable E2EE for their meetings, nobody except each participant — not even Zoom’s meeting servers — has access to the encryption keys that are used to encrypt the meeting," according to the announcement.
- To enable E2EE, meeting hosts generate encryption keys to distribute among up to 200 participants using public key cryptography. Zoom's cloud meeting servers "become oblivious relays and never see the encryption keys," the company said.
Zoom's security and privacy came under fire in March as the platform experienced widespread enterprise and consumer adoption. It began catering to two very different user bases and leaving a poor impression on potential customers, despite its competitors using similar technologies.
In the months since, Zoom agreed to implement further security guardrails with the expectation of regular code inspection, and giving hosts default access controls for privacy reasons. While Zoom absorbed most of the criticism for collecting meeting transcripts, other video platforms, including Cisco, Microsoft Teams and Google Hangouts were all noted to do some degree of transcript retention, according to an evaluation by Consumer Reports.
In consultation with civil liberty engineers, a newly-minted CISO council, and other privacy and security advocates, Zoom enabled E2EE "as an advanced add-on feature" for paying and non-paying customers.
The snowball effect of the last several months of remote work has resulted in organizations taking more steps to vet collaboration and communication platforms.
"These are not the kinds of tools we focus a whole lot on before," said Bryan Ware, assistant director at the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) while speaking on a virtual panel last month.
Tools that are well over a decade old were not a security priority for CISA. The agency is more engaged with teleworking vendors and products to address risks and controls. "I think we'll be looking for new solutions for mid- and long-term to enable us" to be more secure and more confidence in teleworking over time, he said.
Eventually, Ware wants to provide organizations with documentation of CVEs and specific controls that are available (such as E2EE). The agency last issued interim guidance in April for teleworking tools.