“We have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform,” Zoom CEO Eric Yuan said in a blog post.
“With all of the dissidents and all the people using Zoom now, I think [offering end-to-end encryption only to paid users] is a mistake,” said Bruce Schneier, a cybersecurity expert and a fellow at Harvard University’s Berkman Center for Internet and Society. “I want them to have other features as profit centers, not safety and security.”
As Zoom rolls out the feature, free users will be asked for additional information to verify their accounts, such as a phone number (users can currently sign up with just an email address) to “reduce the mass creation of abusive accounts,” Yuan said.
End-to-end encryption will also be an optional feature that Zoom users must enable, because it can limit some features, including the ability to dial in through a phone or record meetings.
Encrypting large video conferences is also a bigger challenge than encrypting text messages or smaller conversations, which services like WhatsApp and Signal already offer. With a one-to-one connection, the message or call data is secured on the sender’s device, and only the receiver’s device has the key to decrypt it once it arrives.
Put simply, the more pairs of connection or “ends” there are to encrypt, the more data you need to secure — and even the free version of Zoom can accommodate up to 100 participants per meeting.
“If you think about what Zoom is doing, they are collecting all the videos, all the voices, putting it together, displaying them nicely. If that stuff is being done in the center, they have to do work on it,” said Schneier. “It does get harder exponentially as the size of the meeting grows.”
However, it’s not an insurmountable task, and could be well worth it to restore the trust of Zoom’s users after a series of privacy and security slip-ups.
“It’s hard but it’s not go-to-the-moon hard,” Schneier said. “It’s you-just-gotta-do-it hard.”