By Joseph Menn
SAN FRANCISCO (Reuters) – Zoom (O:), the video conferencing provider whose business has boomed with the COVID-19 pandemic, plans to strengthen encryption on video calls made by paying clients and institutions like schools, but not for users of its popular free accounts, a company official said Friday.
The company previewed its intentions on a call with civil liberties groups and child-sex abuse fighters Thursday, and Zoom security consultant Alex Stamos confirmed the plans in an interview Friday.
Stamos said the plans were subject to change and it was not yet clear which if any nonprofits or other users, such as political dissidents, might qualify for accounts allowing for more secure video meetings. He said a combination of technological, safety and business factors went into the plan, which drew mixed reactions from privacy advocates.
Zoom has attracted millions of free and paying customers amid the pandemic in part because users could join a meeting – something that now happens 300 million times a day – without registering. But that has left more opportunities for troublemakers to slip into meetings, sometimes after pretending to be an invitee.
Electronic Frontier Foundation researcher Gennie Gebhart, who was on Thursday’s call, said she hoped Zoom would change course and offer protected video more widely. But American Civil Liberties Union technology fellow Jon Callas said the strategy seemed a reasonable compromise.
Safety experts and law enforcement have warned that sexual predators and other criminals are increasingly using encrypted communications to avoid detection.
“Those of us who are doing secure communication believe we need to do things about the real horrible stuff,” Callas said. “Charging money for end-to-end encryption is a way to get rid of the riff-raff.”
Zoom hired Stamos and other prominent experts after a series of security failures that led some institutions to ban its use. Last week Zoom released a technical paper on its encryption plans, without saying how widely they would reach.
“At the same time that Zoom is trying to improve security, they are also significantly upgrading their trust and safety,” said Stamos, a former chief security officer at Facebook (NASDAQ:).
“The CEO is looking at different arguments. The current plan is paid customers plus enterprise accounts where the company knows who they are,” he said.
Giving full encryption to every meeting would mean that Zoom’s trust and safety team would not be able to monitor what is happening or respond effectively to abuse in real time, Stamos said.
An end-to-end model, which means no one but the participants and their devices can see and hear what is happening, would also have to exclude people who call in from a phone line.
From a business perspective, it is hard to earn money when offering a sophisticated and expensive encryption service for free. Facebook is planning to fully encrypt Messenger, but it earns enormous sums from its other services.
Other encrypted communication providers either charge business users or act as nonprofits, like the makers of Signal.
Zoom is also dealing with a variety of regulators, including the U.S. Federal Trade Commission, which is looking into its previous claims about encryption that have been criticized as exaggerated or false, Stamos acknowledged. With the Justice Department and some members of Congress condemning strong encryption, a major expansion there by Zoom could draw unwanted new attention, privacy experts said.