Zoom says it will begin allowing users of its videoconferencing software to enable end-to-end encryption of calls starting with a beta next month, the company announced on Wednesday. The feature won’t be restricted to paid enterprise users, either. It’s coming to both free and paid users, Zoom says, and it will be a toggle switch any call admin can turn on or disable, in the event they want to allow traditional phone lines or older conference room phones to join.
The company said as recently as early June that it might not be able to enable end-to-end encryption for free users out of concern that the app could be used for unlawful activity. Strong encryption would make it difficult for the FBI and other law enforcement agencies to access the data on free calls.
Zoom says free users will need to verify a phone number to enable the security feature
“Zoom does not proactively monitor meeting content, and we do not share information with law enforcement except in circumstances like child sex abuse,” a company spokesperson said at the time, following comments from Zoom CEO Eric Yuan during a call with investors after the company’s quarterly earnings release. “We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.”
Zoom has also been facing harsh criticism since the beginning of the COVID-19 pandemic for failing to beef up its security despite huge surges in user growth as Zoom and similar services became virtual hangout tools during lockdowns. In late March, Zoom admitted that while it uses a standard web browser data encryption, it does not use industry-standard end-to-end encryption. The company has spent the time since improving its security and working on a new encryption solution.
Yet it appears the company has figured out a workaround. “To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message,” Zoom explains in its blog post. “Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”
Zoom says it will be using AES 256 GCM transport encryption as its default, which it describes as “one of the strongest encryption standards in use today.” It’s not clear when the feature will launch, but the beta is arriving in July and Zoom intends to have some level of permissions so account administrators can disable or enable it at the account or group level.