Zoom recently announced a huge security upgrade to its pandemic-triggered popular software when it announced end-to-end encryption. The encryption, referred to as E2EE, gives the control of scrambling sensitive data to individual users. Meeting organizers have the authority to control secure data, where before that data was held on servers that allowed someone at Zoom, or potentially hackers, to see the information.
The E2EE option is available for users who opt-in on any account level. This type of decentralizing the security of the data is meant to allow Zoom users to increase their cyber security confidence. Without this end-to-end encryption upgrade, company data sat out on a server without direct supervision of leadership. Now, the data is not vulnerable at all, according to Zoom.
Historically, Zoom meeting organizers would set up the meetings and allow Zoom to generate the encryption keys and then they would be distributed by the user. Those keys were being accessed by outside people who then could listen in on confidential meetings.
With E2EE, the meeting organizer generates the encryption key and uses public key cryptology to then distribute the keys to participants. The host is able to read the key out loud, allowing participants to check their clients’ display and compare codes. The servers of Zoom become “oblivious” to the encryption keys. The keys are unrecognizable by Zoom, since those keys are never actually held on any servers.
With the introduction of E2EE, Zoom officials claim that even the best hackers in the world would find it nearly impossible to dial into the meetings. Zoom meetings have become the norm for high-level stakeholder discussions, journalists interviewing informants, civil rights meetings, etc. The opportunity for information leakages was very high before the end-to-end encryption. Zoom sees no reason why online meetings will decline, so this type of security level was necessary.
The interference into high-level meetings came to be known as “Zoom Bombing” where hackers could invade meetings, listen in, or totally disrupt. This became a tool for protesters to interrupt meetings of political or social organizations. EE2E is supposed to put an end to this, mainly because no one can enter the meeting without providing identifying information and be approved by the host.
The downside to maintaining the information outside of Zoom servers is that there is no longer the option for Zoom users to record meetings or offer private chats and breakout rooms. Also, this opens up opportunities for the software to be used for criminal activities. Because there is less access from the Zoom servers, law enforcement officials are coming up with innovative ways to try and work around the encryption.
End-to-end encryption is open to both free and paid users of Mac and PC desktop versions of Zoom 5.4.0, and the Android edition of the app, as well as Zoom rooms. The company is framing the rollout as a “technical preview” or trial run in hopes of gathering immediate feedback from users. The company has increased its inquiry for reviews and surveys.
The next phase of E2EE will include a higher level of identity recognition and single sign-on. The additional security upgrade will increase collaboration as companies will feel more secure about allowing outside entities to join their meetings. There is still a risk of security breach such as a hacker stealing an identity and logging into a meeting with that identity to collect intelligence.
Zoom hopes that introducing this platform experience sends a clear message to constituents that they take security seriously.