Zoom Defends Why Users On Free Tier Won’t Have Encrypted Video Meetings
By Mikelle Leow, 04 Jun 2020
Image via Shutterstock
Zoom’s CEO Eric Yuan has confirmed that free, limited accounts will not enjoy end-to-end encryption for video calls, a decision that has left users with a bitter taste in their mouths.
At the financial performance announcement for the video conferencing software, Yuan justified, “Free users, for sure, we don’t want to give [end-to-end encryption]… we also want to work it together with FBI and local law enforcement, in case some people use Zoom for bad purpose.” The statement left customers agape as some felt the company was pandering to authorities.
Alex Stamos, Zoom’s security consultant, later swooped in to say that the CEO’s comments were not accurate. On Twitter, he explained that the company is “dealing with some serious safety issues” and is handling a “difficult balancing act” of strengthening privacy measures while weeding out abusive disruptions like “hate speech, CSAM, exposure to children and other illegal behaviors.”
Stamos elaborated that malicious hosts would typically use VPNs to spoof their locations and register using burner email addresses. By taking away end-to-end encryption from the basic tier, Zoom can cooperate with law enforcement to take action on “the worst repeat offenders.”
“Will this eliminate all abuse? No, but since the vast majority of harm comes from self-service users with fake identities, this will create friction and reduce harm,” the security expert elaborated.
Stamos stressed that end-to-end encryption is still available for business and enterprise accounts—including those with fully-subsidized subscriptions like schools—but not for the “limited, self-service free tier.”
Notably, he said Zoom does not monitor meetings in secret and “will not in the future.”
“Zoom doesn’t record meetings silently. Neither of these will change,” he added.
Some facts on Zoom's current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.
— Alex Stamos (@alexstamos) June 3, 2020
The E2E design is available here:https://t.co/beLdeAwMSM
Zoom does not proactively monitor content in meetings and will not in the future. Zoom doesn't record meetings silently. Neither of these will change.
— Alex Stamos (@alexstamos) June 3, 2020
Our goal is to offer an end-to-end encryption solution that provides a stronger guarantee.
Zoom is dealing with some serious safety issues. When people disrupt meetings (sometimes with hate speech, CSAM, exposure to children and other illegal behaviors) that can be reported by the host. Zoom is working with law enforcement on the worst repeat offenders.
— Alex Stamos (@alexstamos) June 3, 2020
Zoom's Trust and Safety team can, if they have a strong belief that the meeting is abusive, enter the meeting visibly and report it if necessary.
— Alex Stamos (@alexstamos) June 3, 2020
So this creates a difficult balancing act for Zoom, which is trying to both improve the privacy guarantees it can provide while reducing the human impact of the abuse of its product.
— Alex Stamos (@alexstamos) June 3, 2020
The current decision by Zoom's management is to offer E2EE to the business and enterprise tiers and not to the limited, self-service free tier.
— Alex Stamos (@alexstamos) June 3, 2020
A key point: organizations that are on a business plan but are not paying due to a Zoom offer (like schools) will also have E2EE.
This is a hard balance. Zoom has been actively seeking input from civil liberties groups, academics, child safety advocates and law enforcement. Zoom hopes to find a common ground between these equities that does the most good for the most people.
— Alex Stamos (@alexstamos) June 3, 2020
[via Engadget, cover image via Shutterstock]