Zoom Lurches Forward on Security with New Acquisition

Videoconferencing marvel Zoom Video Communications has acquired Keybase, a secure messaging and file-sharing service. Zoom officials said the technology developed by Keybase would speed up the company's plans to add end-to-end encryption that could scale with Zoom adoptions in an era when school, work and family events are being handled remotely as a response to coronavirus lockdowns.

Zoom is in a hurry. In recent weeks, the company has faced a litany of complaints regarding what has been perceived as a lax security stance. Alongside advantages (simple setup and the cost — free) the program has seen increased scrutiny for several reasons: "Zoom-bombing" made headlines when people invaded meetings they weren't invited to; privacy policies have seemingly given the company permission to do whatever it wants with the personal information collected; encryption has turned out to be fairly nonexistent; and the company's URL has become a popular choice of cyber criminals who have registered Zoom-like domain names in hopes of wooing phishing victims. For a while New York City Public Schools expelled Zoom from its remote classrooms, though that ban ended last week with the introduction of a customized version of the program.

To address security concerns, in April, the company announced a 90-day security plan "to better identify, address and fix issues proactively." The company has been jumping on improvements. In March it set up a dedicated K-12 privacy policy and updated its overall privacy policy. It also published guidance to help users address gatecrashers. And it came clean in a blog post on "facts around Zoom and encryption."

"There are end-to-end encrypted communications platforms. There are communications platforms with easily deployable security. There are enterprise-scale communications platforms. We believe that no current platform offers all of these. This is what Zoom plans to build, giving our users security, ease of use and scale, all at once," said Eric Yuan, CEO of Zoom, in a statement. "The first step is getting the right team together. Keybase brings deep encryption and security expertise to Zoom, and we're thrilled to welcome [Keybase Co-founder and Developer] Max [Krohn] and his team. Bringing on a cohesive group of security engineers like this significantly advances our 90-day plan to enhance our security efforts."

The latest acquisition puts Krohn in charge of Zoom security. Terms of the purchase were not made public.

Currently, according to the company, audio and video content flowing between Zoom nodes — those devices running the Zoom app — is encrypted at each sending client device. It gets decrypted when it reaches a recipient's device. However, encryption keys are generated by Zoom's servers, at least for the latest version of the software (Zoom 5.0). The users don't have absolute control over that part of the encryption process.

In the "near future," the company reported, Zoom would offer an end-to-end encrypted meeting mode for paid accounts. As a company article explained:

"Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom's network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees. The cryptographic secrets will be under the control of the host, and the host's client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting."

That end-to-end encryption plan won't work when users have phone bridges, cloud recording or non-Zoom conference room systems, the company warned. But the encryption keys "will be tightly controlled by the host, who will admit attendees."

Zoom said it would also be taking additional steps on the security front:

  • Working with users to make reporting easier when unwanted attendees show up, but without monitoring meeting contents itself;
  • Committing to not building a mechanism that would allow for live meetings to be decrypted; and
  • Committing to not building "cryptographic backdoors to allow for the secret monitoring of meetings" or having Zoom employees attend meetings without being part of the participant list.

Zoom said that it would publish a draft cryptographic design on Friday, May 22, 2020 and then host discussions with "civil society, cryptographic experts and customers."

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • teacher and children working with a LEGO Education Science kit

    LEGO Education Debuts Science Kits for Hands-on Learning

    LEGO Education has announced a new learning solution to engage students in hands-on science learning. Available in three kits by grade band, LEGO Education Science provides 120-plus standards-aligned science lessons, teacher materials, and select LEGO bricks and hardware.

  • computer monitor with glowing digital data and graphs bursting out in an abstract, energetic explosion of lines and elements against a dark background

    New OpenAI Agent Turns ChatGPT into a Research Analyst

    OpenAI has unveiled a new "Deep Research" feature that enhances ChatGPT with the capabilities of a "research analyst" that automates time-consuming research by retrieving, analyzing, and synthesizing online information.

  • silhouetted human figures stand opposite a glowing digital brain, surrounded by abstract circuits and shadowy shapes

    Tech Execs Expect AI Advancements to Increase Security Threats

    Forty-one percent of tech executives in a recent international survey said they believe advancements in AI will significantly increase security threats. NetApp's second annual Data Complexity Report points to 2025 as "AI's make or break year."

  • outline of a modern school building as glowing blue geometric shapes, surrounded by binary code streams, with golden orbs and lines representing funding, set against a dark gray gradient with faint grid patterns

    FCC Cybersecurity Pilot Participants Selected

    The Federal Communications Commission has officially selected the participants for its Schools and Libraries Cybersecurity Pilot, the three-year program exploring the use of Universal Service funds to improve school and library defenses against cyber attacks.