Zoom is gaining end-to-end encryption following acquisition of Keybase
As part of its 90-day security focus, Zoom has announced that it has acquired Keybase, an app that features end-to-end encryption to secure chats and file sharing. The Keybase team will help to bring the same security to Zoom.
The lack of end-to-end encryption has been one of the many criticisms of Zoom in recent months, and the company is keen to address this. However, Zoom says that it will only be bringing an end-to-end encrypted meeting mode to paid accounts and points out that this "privacy over compatibility" option will mean missing out on some features.
See also:
- Zoom has another security update on the way to cut down on Zoombombing
- Zoom claims to have 300 million daily active users... and then backtracks on misleading statement
- Zoom 5.0 is a major update with enhanced encryption and more security options
Although the recent release of Zoom 5.0 did improve encryption, it was still not the secure end-to-end encryption that so many users have been asking for. The problem with the current method of encryption is that, while it uses the industry-standard AES-GCM with 256-bit keys, some encryption keys are stored in the cloud to allow for interoperability with other systems.
When end-to-end encryption arrives, meetings that use it will not support phone bridges, cloud recording or non-Zoom conference room systems. Zoom has the bold ambition of creating an "equivalent or better security than existing consumer end-to-end encrypted messaging platforms". A detailed draft cryptographic design is due to be published on Friday, May 22
In a statement about the acquisition, Zoom's Eric S Yuan says: "We are proud to announce the acquisition of Keybase, another milestone in Zoom’s 90-day plan to further strengthen the security of our video communications platform. Since its launch in 2014, Keybase's team of exceptional engineers has built a secure messaging and file-sharing service leveraging their deep encryption and security expertise. We are excited to integrate Keybase's team into the Zoom family to help us build end-to-end encryption that can reach current Zoom scalability".
He adds:
This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom's wide variety of uses. Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform. Keybase's experienced team will be a critical part of this mission.
In a separate blog post, Keybase explains what it will be doing:
Initially, our single top priority is helping to make Zoom even more secure. There are no specific plans for the Keybase app yet. Ultimately Keybase's future is in Zoom's hands, and we'll see where that takes us. Of course, if anything changes about Keybase’s availability, our users will get plenty of notice.
So, our shortest-term directive is to significantly improve our security effectiveness, by working on a product that's that much bigger than Keybase. We can't be more specific than that, because we're just diving in.
Zoom is also taking various steps in relation to user privacy. The company explains:
- We will continue to work with users to enhance the reporting mechanisms available to meeting hosts to report unwanted and disruptive attendees.
- Zoom does not and will not proactively monitor meeting contents, but our trust and safety team will continue to use automated tools to look for evidence of abusive users based upon other available data.
- Zoom has not and will not build a mechanism to decrypt live meetings for lawful intercept purposes.
- We also do not have a means to insert our employees or others into meetings without being reflected in the participant list. We will not build any cryptographic backdoors to allow for the secret monitoring of meetings.
Image credit: Sergey Nivens / Shutterstock