Why Zoom is leaving its free video conferencing with weaker encryption

In the contest to win over consumers, many tech giants have taken to offering end-to-end encryption as a default safeguard. The security measure helps prevent interlopers and would-be eavesdroppers from snooping on people’s conversations.

End-to-end encryption has become such a fixture of chat and video-calling apps in recent years that it can easily be taken for granted. Free products such as Facebook’s WhatsApp, Apple’s FaceTime, and Alphabet’s Google Meet all support the feature, which prevents even the companies themselves from scrutinizing the contents of users’ communications.

Not so at Zoom Video Communications. The company, whose videoconferencing software became ultra-popular as the coronavirus pandemic started forcing people to shelter at home, plans to reserve the heightened form of encryption solely for its paying customers.

Eric Yuan, Zoom’s CEO, confirmed the decision, first reported by Reuters last week, in an earnings call with investors Tuesday. (The company blew financial analysts’ expectations out of the water, nearly doubling its annual revenue forecast.)

“We think this feature should be a part of our offering” for business and professional customers, Yuan said. He added that the company doesn’t plan to offer free users the same luxury, “because we also want to work together with the FBI, with local law enforcement, in case some people use Zoom for a bad purpose.”

Stuck in the middle

While end-to-end encryption can be a boon for privacy-conscious consumers, it can be a headache for governments. Law enforcement argues that the technology prevents investigators from following leads and collecting evidence in cases ranging from terrorism to child abuse.

Quashing end-to-end encryption remains a high priority for the Justice Department. U.S. Attorney General William Barr has repeatedly blasted Apple for failing to help unlock the phone of a terrorist—a confrontation that calls to mind the Apple vs. FBI fight of 2016. In the fall, Barr cosigned a letter with peers in the U.K. and Australia asking Facebook to delay its rollout of end-to-end encryption across all its messaging products.

The encryption technology is under fire in Congress too. The Senate is currently entertaining a bill, called the EARN IT Act, which could force tech companies to install “backdoors” in their code. The proposed law is designed to allow the government to gain access to suspected criminals’ communications, but it could end up thwarting end-to-end encryption protections for everyone.

End-to-end encryption differs from other forms of encryption in that it encrypts data using a secret cryptographic key, essentially a password, stored on a person’s personal device. Since only the parties privy to a conversation have the special codes required to decipher the data, no one but the intended recipients can read the contents of messages.

For everyone else, the encrypted data looks like gobbledygook.

Slow and steady

Zoom’s decision to enable end-to-end encryption for some, but not all, customers can be interpreted as a compromise.

When the company was under fire for security and privacy lapses earlier this year (Zoombombing, anyone?), CEO Yuan promised to pause all other engineering work for 90 days while his team concentrated on fixing the “trust” issues. On the one hand, Zoom had to balance the privacy of its users; on the other, it sought to remain on the right side of regulators.

For all Zoom’s zoomph, the company faces legal headwinds. Already, the Federal Trade Commission has indicated that it is probing Zoom for potentially misleading people about its privacy. And Zoom’s service has also appeared in federal lawsuits concerning child abuse; one federal prosecutor, who was quoted in a recent New York Times investigation, described the service as “the Netflix of child pornography” in a closing argument at court.

By rolling out end-to-end encryption for only paying customers, Zoom assures that it can maintain records on people who enjoy the strongest privacy settings. The move, which leaves freeloaders more exposed, has the added benefit of encouraging people and businesses to shift to the paid product, bolstering Zoom’s rocketing business.

Max Krohn, cofounder of Keybase, an encrypted messaging app that was recently snatched up by Zoom for an undisclosed amount, said in a paper posted to the code-sharing site GitHub that the company would seek public comment and continue to “refine” its encryption plan over time.

One could interpret Zoom’s decision as offering weaker security by default. But it also boosts the business, potentially keeps regulators at bay, and provides cover that the company is doing something about abusive users of its platform from whom it had nothing to gain. As Jon Callas, a technology fellow at the American Civil Liberties Union, told Reuters, the strategy seems to be a reasonable way for Zoom “to get rid of the riffraff” and the people who do “real horrible stuff.”