Videoconferencing service Zoom rolled out a major new security upgrade for users on Monday: end-to-end encryption. But the extra protection against hackers won’t be offered by default, meaning users will have to take several steps to turn it on.
Zoom initially announced the extra security in May, when exploding use of its service during the coronavirus pandemic led to a rise in security problems, including strangers joining calls uninvited, known as Zoombombing.
Users will have to give some serious thought to whether to enable end-to-end encryption. Although it increases security, it disables a number of key Zoom features.
The new encryption will be available to all Zoom users, whether they have paid or free accounts. Here’s everything to know, including how to decide whether you even need the extra protection.
What is end-to-end encryption?
Zoom calls are already encrypted by default, meaning that video and audio data are scrambled using an algorithm. Information is encoded by replacing readable characters with other data, using a unique key.
End-to-end encryption works on the same principle, but it changes how encryption keys are created and used.
Keys for Zoom’s current default encryption are created on Zoom’s servers, then distributed to users. This increases the chances that a determined hacker could intercept a key and access a meeting uninvited. In a worst-case scenario, hackers could steal thousands of keys at the same time directly from Zoom and then spy on Zoom’s users during their calls.
With end-to-end encryption, keys will instead be generated on the computers of Zoom users. This should mean third parties, including Zoom itself, can’t get their hands on encryption keys. This brings Zoom in line with end-to-end encrypted chat apps like Signal, Wickr, and WhatsApp—except in this case, it applies to video.
Who needs end-to-end encryption for Zoom calls?
Many users probably don’t need the extra protection provided by end-to-end encryption. Zoom’s previous security problems were mostly the result of user error, such as making meetings publicly accessible. So if you’re just trying to deter nuisance Zoombombings of an online high school history class, end-to-end encryption is probably overkill.
But the pandemic has also pushed many highly sensitive conversations online. For corporate discussions, government meetings, and health consultations, for instance, end-to-end encryption can provide peace of mind.
Of course, on the flip side, end-to-end encryption is also useful for criminals. Because companies using it lack access to their users’ encryption key, the companies are incapable of giving law enforcement access to users’ communications.
How to turn on end-to-end encryption in Zoom
For now, Zoom users will need to go through a two-part process to get end-to-end encryption. First, users must enable it in the security settings of their Zoom accounts.
Here’s what that looks like:
Secondly, end-to-end encryption must be activated and managed by each meeting’s host. If it’s activated, attendees who don’t have end-to-end encryption activated on their own accounts will be unable to join meetings. So if you’re using end-to-end encryption, be sure to let invitees know they must activate the feature on their own account before joining your meeting.
Some key Zoom features won’t work with end-to-end encryption
Making end-to-end encryption work with multiparty video is a serious technical challenge, and at least with this early version, Zoom had to make some tradeoffs. Broadly speaking, Zoom calls using the technology will be less interactive, less convenient, and require more setup and preparation by both hosts and attendees.
Among the features Zoom says won’t work are recording meetings to the cloud; live emoji reactions from meeting participants; users’ ability to join a call before the host; streaming a meeting to outside viewers; live transcription; polling; one-on-one private chat; and splitting participants into breakout rooms.
But perhaps the most notable missing feature will be telephone dial-in. All participants in end-to-end encrypted calls must use Zoom mobile or desktop software and have end-to-end encryption enabled. That could be a significant hurdle for less tech-savvy users, or others who prefer using their phones to dial in to meetings.
However, some of these limitations may be temporary. This week’s planned rollout is “phase 1,” with a “phase 2” update planned for next year. It’s expected to include improved identity management, which might make joining encrypted calls easier or offset some of the other inconveniences of Zoom’s first iteration of total privacy.