Zoom has announced the acquisition of Keybase as part of its 90-day plan to strengthen the security of its video communications platform that has been criticised for security breaches.
Audio and video content flowing between Zoom clients such as Zoom Rooms, laptop computers and smartphones running the Zoom app is encrypted at each sending client device, being decrypted upon reaching the recipient’s devices.
The Zoom 5.0 release now supports encrypting content using the AES-GCM standard with 256-bit keys. The encryption keys for each meeting are generated by Zoom’s servers, with some features being used by Zoom clients such as support for attendees to call into a phone bridge or use in-room meeting systems from third parties requiring Zoom to keep encryption keys in the cloud.
Zoom plans to offer an end-to-end encrypted meeting mode to paid accounts, with logged-in users generating public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees.
The end-to-end encrypted meetings will not support phone bridges, cloud recording or non-Zoom conference room systems, with Zoom Rooms and Zoom Phone participants being able to attend if explicitly allowed by the host.
Encryption keys will be controlled by the host, who can admit attendees.
In a statement, Zoom clarified: “As we do this work to further protect our users’ privacy, we are also cognizant of our desire to prevent the use of Zoom’s products to cause harm. To that end, we will be taking the following steps:
• We will continue to work with users to enhance the reporting mechanisms available to meeting hosts to report unwanted and disruptive attendees.
• Zoom does not and will not proactively monitor meeting contents, but our trust and safety team will continue to use automated tools to look for evidence of abusive users based upon other available data.
• Zoom has not and will not build a mechanism to decrypt live meetings for lawful intercept purposes.
• We also do not have a means to insert our employees or others into meetings without being reflected in the participant list. We will not build any cryptographic backdoors to allow for the secret monitoring of meetings”.