Zoom is working on end-to-end encryption to protect privacy on its increasingly popular video chat service, but the company will make it a premium feature not available to free accounts. Alex Stamos, a Zoom security consultant and former chief security officer for Yahoo, told Reuters the company could include exceptions like nonprofits or political dissidents, though.
Zoom encrypts connections between the company's servers and the devices of people using its service. End-to-end encryption, though, secures connections all the way from each device to every other device on a call. It's available in some Zoom alternatives, like Apple FaceTime.
The company's business has surged with the stay home that increased the demand for online work and personal videoconferencing. However, the increased scrutiny revealed several Zoom security problems and the fact that an earlier Zoom boast of end-to-end encryption was baseless.and resulting orders to
Zoom's end-to-end encryption approach "is very much a work in progress -- everything from our draft cryptographic design, which was just published last week, to our continued discussions around which customers it would apply to," the company said in a statement.
End-to-end encryption will only be for paid accounts, Zoom said in a blog post this week. Even where that protection isn't being used, though, Zoom is moving all its users to stronger encryption, 256-bit AES (Advanced Encryption Standard) using GCM, or Galois/Counter Mode.
Zoom 5.0 added GCM encryption as an option in April, but on Saturday, it became mandatory for anyone to join a Zoom meetings to improve security. The earlier Zoom approach, in contrast, was a "bad idea," according to Citizen Lab security researchers who found some of the earlier Zoom shortcomings.