Say this for Zoom: The company's certainly quick on its feet. After creating a backlash for the umpteenth time this pandemic by saying its end-to-end encryption feature would be for paying customers only, then making it worse by saying that decision was made so Zoom could better cooperate with law enforcement, then tripling down by removing a Chinese dissident from the service at the request of the Chinese government, Zoom … changed its mind in a big way.
On day 77 of Zoom's 90-day plan to rethink everything about its security plans, the company said it will enable end-to-end encryption for everyone on the service, and released designs for its encryption on GitHub. And, CEO Eric Yuan said, Zoom can do it without sacrificing its "ability to prevent and fight abuse on the platform."
- Yuan said that Zoom talked to civil rights groups, government organizations, child-safety advocates, encryption experts and more since its initial announcement a few weeks ago. Clearly, and perhaps unsurprisingly, those groups told Zoom that more encryption is better.
- Starting in July, when you schedule a meeting, you'll be able to choose to have end-to-end encryption. (There'll be a new button in the interface.) But there are limitations: Encrypted calls can't include regular phone callers, for instance.
- For business accounts, administrators will be able to toggle encryption either for a specific user or the whole organization.
The challenges for Zoom here are similar to those Facebook faces as it tries to pivot to privacy: Privacy is a good thing, except when it protects bad guys. Zoom may not have the same sort of public-moderation issues, but full encryption would make it harder to keep out Zoombombers or figure out who's creating accounts en masse.
- Most of Zoom's changes in recent weeks have been about giving admins and users more control over who comes into a meeting and what they can do once they're in there. But the company still feels it needs ways to keep some tabs on the platform and its users.
- In this case, Zoom users on free and basic plans will be asked to verify some information about themselves — like a phone number — in order to turn on the feature. Zoom is still trying to make sure it can weed out problematic users, so it's trading "info about your chats" for "info about our users."
Zoom's still tweaking the encryption system and soliciting feedback on GitHub. "Until things are out the door, there's really no reason to cut off feedback," said Max Krohn, Zoom's head of security engineering. I've seen a few people complain about Zoom collecting more information about users, but in general the reaction to this news seems to be that Zoom came around and did the right thing. Even if it took a few wrong turns along the way.
This article will appear in tomorrow's edition of our daily newsletter Source Code. Sign up here.