by Gennie Gebhart
June 17, 2020, Electronic Frontier Foundation
Reprinted under Creative Commons Attribution License 3.0
We are glad to see Zoom's announcement today that it plans to offer end-to-end encryption to all its users, not just those with paid subscriptions. Zoom initially stated it would develop end-to-end encryption as a premium feature. Now, after 20,000 people signed on to EFF and Mozilla's open letter to Zoom, Zoom has done the right thing, changed course, and taken a big step forward for privacy and security.
Other enterprise companies like Slack, Microsoft, and Zoom's direct competitor Cisco should follow suit and recognize, in the Zoom announcement's words, "the legitimate right of all users to privacy" on their services. Companies have a prerogative to charge more money for an advanced product, but best-practice privacy and security features should not be restricted to users who can afford to pay a premium.
The pandemic has moved more activities online--and specifically onto Zoom--than ever before. For an enterprise tool like Zoom, that means new users that the company never expected and did not design for, and all the unanticipated security and privacy problems that come with that sudden growth. Zoom's decision to offer end-to-end encryption more widely is especially important because the people who cannot afford enterprise subscriptions are often the ones who need strong security and privacy protections the most. For example, many activists rely on Zoom as an organizing tool, including the Black-led movement against police violence.
To use Zoom's end-to-end encryption, free users will have to provide additional information, like a phone number, to authenticate. As Zoom notes, this is a common method for mitigating abuse, but phone numbers were never designed to be persistent all-purpose individual identifiers, and using them as such creates new risks for users. In different contexts, Signal, Facebook, and Twitter have all encountered disclosure and abuse problems with user phone numbers. At the very least, the phone numbers that users give Zoom should be used only for authentication, and only by Zoom. Zoom should not use these phone numbers for any other purpose, and should never require users to reveal them to other parties.
The early beta of end-to-end encryption on Zoom will arrive next month. Users should still take steps to harden their Zoom settings to defend against trolls and other privacy threats. In the meantime, we applaud Zoom's decision to make these privacy and security enhancements available to all of their hundreds of millions of users.
|