To work together with law enforcement, Zoom won’t provide end-to-end encryption for free users
Zoom CEO Eric Yuan has admitted that he won’t provide end-to-end encryption to free users in favor of being able to work with law enforcement. It has previously been discussed in Zoom’s announced move towards privacy and security that true end-to-end encryption would only be available for paid customers; however, at the time tech pundits hoped that Zoom’s move was merely for tier differentiation. Reuters reported as recently as last week that end-to-end encryption would only be available for paying business and enterprise users. Now, from the horse’s mouth itself, we see what Zoom’s real priorities are. On their Q1 earnings call, Zoom CEO Eric Yuan commented:
“We want to give [end-to-end encryption] to at least the enterprise customer or business customer. Free users, for sure, we don’t want to give that. Because we also want to work together, say, with FBI, with local law enforcement in case some people that use Zoom for a bad purpose, right?”
Zoom only plans to offer end-to-end encryption for users it can identify
While it is true that any company providing communications services might end up needing to work with law enforcement at some point, history and established laws have shown that it is perfectly fine to inform law enforcement that end-to-end encryption means they won’t be able to see the contents of a video call, iMessage, or other digital communication. That’s how encryption is supposed to work. Instead, Zoom is planning to only offer end-to-end encryption to paying customers who can be identified – perhaps as a way to pass on potential liability in case a paying customer uses Zoom for a bad purpose.
A Zoom spokesperson told CNBC via email on Wednesday:
“Zoom’s end-to-end encryption plan balances the privacy of its users with the safety of vulnerable groups, including children and potential victims of hate crimes. We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.”
A security consultant with Zoom clarified more on what led Zoom to this decision in a Twitter thread – saying that to offer end-to-end encryption, Zoom has to make such sacrifices. He noted that schools on a free (comped) plan would have e2e encryption.
Some facts on Zoom's current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.
The E2E design is available here:https://t.co/beLdeAwMSM
— Alex Stamos (@alexstamos) June 3, 2020
Zoom also said in a statement reported by Vox:
“Zoom does not proactively monitor meeting content, and we do not share information with law enforcement except in circumstances like child sex abuse. We do not have backdoors where participants can enter meetings without being visible to others.”
Zoom’s wild ride on end-to-end encryption reveals company’s stance on privacy
Zoom’s plan to only offer end-to-end encryption to people that it can identify is a hard stance in the wrong direction. In the last few months we have seen Zoom pivot 180 degrees from claiming to offer end-to-end encryption for all of its users to discovering that in reality no users were covered under end-to-end encryption to finally a point where end-to-end encryption won’t be available to the largest subset of Zoom users because Zoom would rather preemptively stay available to work with law enforcement. Remember that the government is seeking to legislatively mandate backdoors in end-to-end encryption offered by companies under the same smoke cover of “protect the children” – now we see that some companies are preemptively giving in. Given all this news, it’s not hard to imagine that Zoom isn’t going to require a warrant before handing over information to law enforcement for its free users because there’s no identity tied to it. Zoom talks a big talk about privacy and security but their actions speak louder than words and there seems to be a systemic misunderstanding – from the top down – of what privacy means and who most people seek privacy from.