By Joseph Menn
SAN FRANCISCO (Reuters) – Video conferencing provider Zoom <ZM.O> plans to strengthen encryption of video calls hosted by paying clients and institutions such as schools, but not by users of its free consumer accounts, a company official said on Friday.
The company, whose business has boomed with the coronavirus pandemic, discussed the move on a call with civil liberties groups and child-sex abuse fighters on Thursday, and Zoom security consultant Alex Stamos confirmed it on Friday.
In an interview, Stamos said the plan was subject to change and it was not yet clear which, if any, nonprofits or other users, such as political dissidents, might qualify for accounts allowing more secure video meetings.
He added that a combination of technological, safety and business factors went into the plan, which drew mixed reactions from privacy advocates.
Zoom has attracted millions of free and paying customers amid the pandemic, in part because users could join a meeting – something that now happens 300 million times a day – without registering.
But that has allowed opportunities for troublemakers to slip into meetings, sometimes after pretending to be invitees.
Gennie Gebhart, a researcher with the Electronic Frontier Foundation who was on Thursday’s call, said she hoped Zoom would change course and offer protected video more widely.
But Jon Callas, a technology fellow of the American Civil Liberties Union, said the strategy seemed a reasonable compromise.
Safety experts and law enforcement have warned that sexual predators and other criminals are increasingly using encrypted communications to avoid detection.
“Those of us who are doing secure communication believe we need to do things about the real horrible stuff,” said Callas, who previously sold paid encryption services.
“Charging money for end-to-end encryption is a way to get rid of the riff-raff.”
Zoom hired Stamos and other experts after a series of security failures led some institutions to ban its use. Last week Zoom released a technical paper on its encryption plans, without saying how widely they would reach.
“At the same time that Zoom is trying to improve security, they are also significantly upgrading their trust and safety,” said Stamos, a former chief security officer at Facebook.
“The CEO is looking at different arguments. The current plan is paid customers plus enterprise accounts where the company knows who they are.”
Full encryption for every meeting would leave Zoom’s trust and safety team unable to add itself as a participant in gatherings to tackle abuse in real time, Stamos added.
An end-to-end model, which means no one but the participants and their devices can see and hear what is happening, would also have to exclude people who call in from a telephone line.
From a business perspective, it is hard to earn money when offering a sophisticated and expensive encryption service for free. Facebook is planning to fully encrypt Messenger, but it earns enormous sums from its other services.
Other providers of encrypted communication either charge business users or act as nonprofits, such as the makers of Signal.
Zoom is also dealing with regulators such as the U.S. Federal Trade Commission, which is looking into its previous claims about encryption that have been criticized as exaggerated or false, said Stamos and another person familiar with the matter.
With the Justice Department and some members of Congress condemning strong encryption, Zoom could draw unwanted new attention through a major expansion in that area, privacy experts said.
(Reporting by Joseph Menn; Editing by Leslie Adler and Clarence Fernandez)