Zoom Ups Security with New Acquisition

Zoom Video Communications has acquired Keybase, a secure messaging and file-sharing service. Zoom officials said the technology developed by Keybase would speed up the company's plans to add end-to-end encryption that could scale with Zoom adoptions in an era when school, work and family events are being handled remotely as a response to coronavirus lockdowns.

Zoom is in a hurry. In recent weeks, the company has faced a litany of complaints regarding what has been perceived as a lax security stance. Alongside advantages (simple setup and the cost — free) the program has seen increased scrutiny for several reasons: "Zoom-bombing" made headlines when people invaded meetings they weren't invited to; privacy policies have seemingly given the company permission to do whatever it wants with the personal information collected; encryption has turned out to be fairly nonexistent; and the company's URL has become a popular choice of cyber criminals who have registered Zoom-like domain names in hopes of wooing phishing victims. For a while New York City Public Schools expelled Zoom from its remote classrooms, though that ban ended last week with the introduction of a customized version of the program.

To address security concerns, in April, the company announced a 90-day security plan "to better identify, address and fix issues proactively." The company has been jumping on improvements. In March it set up a dedicated K-12 privacy policy and updated its overall privacy policy. It also published guidance to help users address gatecrashers. And it came clean in a blog post on "facts around Zoom and encryption."

"There are end-to-end encrypted communications platforms. There are communications platforms with easily deployable security. There are enterprise-scale communications platforms. We believe that no current platform offers all of these. This is what Zoom plans to build, giving our users security, ease of use and scale, all at once," said Eric Yuan, CEO of Zoom, in a statement. "The first step is getting the right team together. Keybase brings deep encryption and security expertise to Zoom, and we're thrilled to welcome [Keybase Co-founder and Developer] Max [Krohn] and his team. Bringing on a cohesive group of security engineers like this significantly advances our 90-day plan to enhance our security efforts."

The latest acquisition puts Krohn in charge of Zoom security. Terms of the purchase were not made public.

Currently, according to the company, audio and video content flowing between Zoom nodes — those devices running the Zoom app — is encrypted at each sending client device. It gets decrypted when it reaches a recipient's device. However, encryption keys are generated by Zoom's servers, at least for the latest version of the software (Zoom 5.0). The users don't have absolute control over that part of the encryption process.

In the "near future," the company reported, Zoom would offer an end-to-end encrypted meeting mode for paid accounts. As a company article explained:

"Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom's network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees. The cryptographic secrets will be under the control of the host, and the host's client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting."

That end-to-end encryption plan won't work when users have phone bridges, cloud recording or non-Zoom conference room systems, the company warned. But the encryption keys "will be tightly controlled by the host, who will admit attendees."

Zoom said it would also be taking additional steps on the security front:

  • Working with users to make reporting easier when unwanted attendees show up, but without monitoring meeting contents itself;
  • Committing to not building a mechanism that would allow for live meetings to be decrypted; and
  • Committing to not building "cryptographic backdoors to allow for the secret monitoring of meetings" or having Zoom employees attend meetings without being part of the participant list.

Zoom said that it would publish a draft cryptographic design on Friday, May 22, 2020 and then host discussions with "civil society, cryptographic experts and customers" to give details and get feedback.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • interconnected cloud icons with glowing lines on a gradient blue backdrop

    Report: Cloud Certifications Bring Biggest Salary Payoff

    It pays to be conversant in cloud, according to a new study from Skillsoft The company's annual IT skills and salary survey report found that the top three certifications resulting in the highest payoffs salarywise are for skills in the cloud, specifically related to Amazon Web Services (AWS), Google Cloud, and Nutanix.

  • a hobbyist in casual clothes holds a hammer and a toolbox, building a DIY structure that symbolizes an AI model

    Ditch the DIY Approach to AI on Campus

    Institutions that do not adopt AI will quickly fall behind. The question is, how can colleges and universities do this systematically, securely, cost-effectively, and efficiently?

  • minimalist geometric grid pattern of blue, gray, and white squares and rectangles

    Windows Server 2025 Release Offers Cloud, Security, and AI Capabilities

    Microsoft has announced the general availability of Windows Server 2025. The release will enable organizations to deploy applications on-premises, in hybrid setups, or fully in the cloud, the company said.

  • digital brain made of blue circuitry on the left and a shield with a glowing lock on the right, set against a dark background with fading binary code

    AI Dominates Key Technologies and Practices in Cybersecurity and Privacy

    AI governance, AI-enabled workforce expansion, and AI-supported cybersecurity training are three of the six key technologies and practices anticipated to have a significant impact on the future of cybersecurity and privacy in higher education, according to the latest Cybersecurity and Privacy edition of the Educause Horizon Report.