Along with Zoom’s meteoric rise has come a privacy and security blowback. In response to frustration over the videoconferencing service’s vague and misleading encryption claims, Zoom brought on a small army of prominent cryptographers and security engineers as consultants, and acquired the secure communication company Keybase, in pursuit of real end-to-end encryption for its users. But it turns out that even when Zoom completes the feature, only paying customers will receive it—leaving Zoom’s free users in the lurch.
End-to-end encryption allows data to move between devices in a form that is unreadable to anyone other than the recipients—protecting the information in transit from snooping by your internet service provider, the government, or communication platforms themselves. Privacy advocates strongly recommend it, while governments argue that it makes law enforcement’s job harder. In the United States, the Department of Justice has doubled down on its anti-encryption stance in recent years, urging tech companies to create backdoors in their encryption for law enforcement access. Zoom’s decision to limit end-to-end encryption to paid accounts seems to be an attempt at compromise.
“Free users for sure we don’t want to give that,” Zoom CEO Eric Yuan said in a company earnings call on Tuesday referring to end-to-end encryption, “because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose.”
Implicit in Yuan’s comments is a presumed connection between people who use a service for free and criminal activity, which many privacy advocates decried Wednesday. In practice, requiring a paid account for end-to-end encryption could put it out of reach for the vulnerable groups who need it most, including activists, journalists, and nonprofits who often have limited resources
“Anyone who cares about public safety should be pushing for more encryption everywhere possible, not less,” says Evan Greer, deputy director of the digital rights organization Fight for the Future. “For the company to say they’ll only keep your calls safe and secure if you pay extra—they’re leaving the people most likely to be targeted by surveillance or online harassment vulnerable. They have a chance to do something really good for human rights by implementing default end-to-end encryption to all users. But if they make it a premium paid feature, they’re setting a precedent that privacy and safety is only for those who can afford to pay for it.”
End-to-end encryption is hard to get right under any circumstances, but especially for a video chat that can support up to a thousand participants. Everything from bandwidth to people dropping in and out of calls adds complexity to an already challenging problem. While services like Apple’s FaceTime, Facebook’s WhatsApp, and Google’s Duo all offer end-to-end encrypted video chat for up to about a dozen participants, no one has ever come close to implementing it to the extent Zoom is pursuing.
“In principle it’s doable, but in practice, and especially at Zoom’s scale, it’s a very difficult engineering problem,” says cryptographer Jean-Philippe Aumasson. “It’s not just about throwing some crypto code at the problem.”
Zoom would also be the first widely used service of its kind, though, to fence off who could access those protections.
“Zoom’s end-to-end encryption plan balances the privacy of its users with the safety of vulnerable groups, including children and potential victims of hate crimes,” a Zoom spokesperson said in a statement. “We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.”