Yesterday Zoom announced it will offer end-to-end encryption to all users. Encryption has been an ongoing issue for Zoom because, as I mentioned in earlier blog, Zoom video and computer audio meetings aren’t end-to-end encrypted as advertised and, as I mentioned in a subsequent blog, Zoom planned to roll out end-to-end encryption only for video calls of paying clients and institutions such as schools. The significance is that with end-to-end encryption, Zoom meetings can’t be accessed by Zoom employees for trust and safety reasons. To address the creation of abusive accounts, Zoom’s current solution is that users with free or basic accounts who want access to Zoom’s end-to-end encryption will have to provide information (such as a phone number via a text message) to verify their accounts. Furthermore, once available, end-to-end encryption will be an optional feature because it limits some meeting functionality (such as traditional PSTB phone lines or SIP/H 323 conference room systems). So end-to-end encryption is not going to be used in all situations. This result is significant because Zoom’s research and development team is located in China.
Late last April, the Department of Homeland Security reported that the Zoom application appears to be developed by 700 workers in China and that keys for encrypting and decrypting meetings are transmitted to servers in Beijing. DHS recommended that any organization currently using – or considering using – Zoom evaluate the risk of its use. Zoom told ABC news that it disagreed with the DHS analysis and said that DHS is heavily misinformed and that the report includes inaccuracies about Zoom’s operations. However, a recent Axios article reports that Zoom has about 700 engineers in China and several China-based subsidiaries and that having its research and development team in China helps Zoom cuts costs and, therefore, is a major driver of profit.
Earlier this month, according to the New York Times, at the request of the Chinese government, Zoom terminated meetings that were going to be hosted on Zoom to commemorate the Tiananmen Square crackdown and the accounts hosting the meetings. Zoom said these actions were necessary to comply with Chinese law. The Chinese government had informed Zoom about four separate Zoom gatherings: Zoom allowed the meeting of a U.S. company to proceed after determining it had no participants from mainland China and then briefly shut the account down, and Zoom ended the other three meetings and suspended the host accounts of two companies in the U.S. and one in Hong Kong. All four accounts subsequently were reactivated. To avoid shutting down accounts in the future and impacting anyone outside China, Zoom has said it will develop technology to block individual participants.
As the New York Times observed, Zoom’s dependence on China could make it increasingly vulnerable to the Communist Party’s censorship apparatus. Foreign companies allowed to operate in China must abide by strict rules that dictate what can be said, and they must provide data to an internet police force. After Zoom’s announcement yesterday, if a user of the free product doesn’t want to provide information to verify its account or if a user of the paid product wants to include phone lines or hardware conference room systems, then end-to-end encryption won’t be able to be used, and Zoom meetings still will be able to be accessed by Zoom employees. What if one of the research or development employees in China, for trust and safety reasons, joined your meeting to tackle abuse in real time? Would they have to report what they heard to the Chinese “internet police force”? Zoom’s offer of end-to-end encryption to free users is a good beginning, but it is just a beginning. As DHS said in its report, any organization currently using – or considering using – Zoom should evaluate the risk of its use.