Skip to main content

Zoom finally delivers end-to-end encryption for all users - but not all of the time

Zoom
(Image credit: Zoom)

Zoom has finally rolled out end-to-end encryption (E2EE) for both free and paid users worldwide, delivering on a promise made at the start of the pandemic.

In a system protected by E2EE, communication between meeting participants is encrypted using cryptographic keys held only on users’ devices. This means no third party, Zoom included, has access to the keys to decrypt private meeting data.

The company originally stated that end-to-end encryption would be reserved for paying customers only, but executed a swift U-turn after facing a backlash from users.

The feature is available immediately to all Zoom users in technical preview (meaning the firm is actively soliciting feedback) on client version 5.4.0 for Windows and Mac, Zoom for Android and Zoom Rooms. The service will also soon appear on Zoom for iOS, once the updated app has been greenlit by Apple.

Zoom end-to-end encryption

In April, Zoom found itself in hot water when it emerged that claims its meeting participants were protected by full end-to-end encryption were unfounded. Instead, researchers discovered the service deployed a lesser form of encryption using the Transport Layer Security (TLS) protocol.

The company was forced to make a public apology and pledged to spend the following three months focused solely on improving the security of its platform. During this period, Zoom acquired secure messaging and file-sharing service Keybase, whose team was brought on board to develop full E2EE for the video conferencing service.

The arrival of end-to-end encryption for all users, then, finally makes good on a promise made more than six months ago.

“We’re very proud to bring Zoom’s new end-to-end encryption to Zoom users globally,” said Jason Lee, Zoom CISO. “This has been a highly requested feature from our customers, and we’re excited to make this a reality. Kudos to our encryption team who joined us from Keybase in May and developed this impressive security feature.”

As per the new system, which harnesses 256-bit AES-GCM encryption, meeting hosts generate encryption keys which are distributed to fellow participants via public key cryptography. The encrypted information is “indecipherable” by Zoom, whose servers merely act as “oblivious relays”.

While many will celebrate the arrival of the new security feature, it’s important to note that E2EE protection does not apply to all Zoom meetings. The feature must be toggled on by the host, participants must join from the appropriate Zoom clients and the meeting must not contain more than 200 participants.

Activating E2EE will also result in diminished functionality, preventing users from accessing features including cloud recording, polling, breakout rooms and live transcription.