Zoom Ups Security with New Acquisition

• By Dian Schaffhauser
• 05/14/20

Zoom Video Communications has acquired Keybase, a secure messaging and file-sharing service. Zoom officials said the technology developed by Keybase would speed up the company's plans to add end-to-end encryption that could scale with Zoom adoptions in an era when school, work and family events are being handled remotely as a response to coronavirus lockdowns.

Zoom is in a hurry. In recent weeks, the company has faced a litany of complaints regarding what has been perceived as a lax security stance. Alongside advantages (simple setup and the cost — free) the program has seen increased scrutiny for several reasons: "Zoom-bombing" made headlines when people invaded meetings they weren't invited to; privacy policies have seemingly given the company permission to do whatever it wants with the personal information collected; encryption has turned out to be fairly nonexistent; and the company's URL has become a popular choice of cyber criminals who have registered Zoom-like domain names in hopes of wooing phishing victims. For a while New York City Public Schools expelled Zoom from its remote classrooms, though that ban ended last week with the introduction of a customized version of the program.

To address security concerns, in April, the company announced a 90-day security plan "to better identify, address and fix issues proactively." The company has been jumping on improvements. In March it set up a dedicated K-12 privacy policy and updated its overall privacy policy. It also published guidance to help users address gatecrashers. And it came clean in a blog post on "facts around Zoom and encryption."

"There are end-to-end encrypted communications platforms. There are communications platforms with easily deployable security. There are enterprise-scale communications platforms. We believe that no current platform offers all of these. This is what Zoom plans to build, giving our users security, ease of use and scale, all at once," said Eric Yuan, CEO of Zoom, in a statement. "The first step is getting the right team together. Keybase brings deep encryption and security expertise to Zoom, and we're thrilled to welcome [Keybase Co-founder and Developer] Max [Krohn] and his team. Bringing on a cohesive group of security engineers like this significantly advances our 90-day plan to enhance our security efforts."

The latest acquisition puts Krohn in charge of Zoom security. Terms of the purchase were not made public.

Currently, according to the company, audio and video content flowing between Zoom nodes — those devices running the Zoom app — is encrypted at each sending client device. It gets decrypted when it reaches a recipient's device. However, encryption keys are generated by Zoom's servers, at least for the latest version of the software (Zoom 5.0). The users don't have absolute control over that part of the encryption process.

In the "near future," the company reported, Zoom would offer an end-to-end encrypted meeting mode for paid accounts. As a company article explained:

"Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom's network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees. The cryptographic secrets will be under the control of the host, and the host's client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting."

That end-to-end encryption plan won't work when users have phone bridges, cloud recording or non-Zoom conference room systems, the company warned. But the encryption keys "will be tightly controlled by the host, who will admit attendees."

Zoom said it would also be taking additional steps on the security front:

• Working with users to make reporting easier when unwanted attendees show up, but without monitoring meeting contents itself;
• Committing to not building a mechanism that would allow for live meetings to be decrypted; and
• Committing to not building "cryptographic backdoors to allow for the secret monitoring of meetings" or having Zoom employees attend meetings without being part of the participant list.

Zoom said that it would publish a draft cryptographic design on Friday, May 22, 2020 and then host discussions with "civil society, cryptographic experts and customers" to give details and get feedback.