Zoom recently published a draft cryptographic design of its upcoming end-to-end-encrypted video communications offering. Security and privacy take center stage of that design as well as Zoom’s 90-day plan, according to Max Krohn, Co-Founder, Keybase.io. Krohn said when he joined Zoom with the rest of the Keybase team on May 7, they announced the intent to build the ‘Most secure video meeting offering that can reach current Zoom scalability,’ adding:
“In our commitment to remaining transparent and open as we build this end-to-end encryption offering, we have published our cryptographic design for peer review on GitHub“
Zoom will host discussions with cryptographic experts, nonprofits, advocacy groups, customers, and others so it can share more details and solicit feedback, I’m told. Once the company has the chance to assess said feedback, Zoom’s said it will integrate the suggestions into the final design of its end-to-end encryption offering.
Zoom’s Founder and CEO, Eric Yuan, announced in April, the company would enact a 90-day plan to combat its security shortcomings, including Zoombombing. Two weeks after the news broke, the video conferencing giant launched Zoom version 5.0, a version of Zoom that features several security improvements, including encryption.
The video conferencing company’s 90-day timeline now sits at 50 days, and we’re just over halfway there, so I wanted to recap what Zoom’s done during the first half of its plan to tighten up security, something that remains a touchy subject and eventually led to several major companies, including SpaceX founder Elon Musk, banning the video conferencing systems citing security concerns. July 21, 2020, will mark the end of Zoom’s 90-day timeframe it laid out for itself, and the company’s made significant progress toward securing its platform. Zoom’s added a new security icon which lets users remove participants and lock meetings. The Zoom client also now features a ‘report a user’ function, waiting rooms, and all on K-12, Basic (free), and Single Pro users have passwords set by default.
All accounts are set to require passwords for meetings both past and future, and for phone attendees. Users can manage virtual backgrounds and disable joining from multiple devices. All paid account admins can customize where meeting data go and passwords are ‘on’ by default for cloud meeting recordings. Zoom even enhanced the complexity of the passwords it requires for meetings and removed features like ‘attention tracking,’ LinkedIn Nav, Facebook SDK, which could all potentially expose users to intruders because of the third-party design of the functions.
Zoom formed the CISO Council and Advisory Board, made up of security leaders from various industries. Alex Stamos joined Zoom as an outside advisor to help the video conferencing company with a comprehensive review of the Zoom platform. Lea Kissner joined Zoom as a security consultant to shed light on how to improve user privacy and encryption. Luta Security partnered with Zoom to beef up its bug bounty program, and Zoom announced plans to expand its trust and safety team. Likely the biggest splash made by Zoom during this time was on May 7, 2020, when the company said it had acquired Keybase to realize the most broadly-used enterprise end-to-end encryption offering on the market.
