90-Day Security Plan Progress Report: June 10
As we continue on our 90-day plan to improve the security and privacy of our platform, this week’s “Ask Eric Anything” webinar focused on recent product security updates, facts about Zoom encryption, and securing meetings with passwords and Waiting Rooms.
Zoom CEO Eric S. Yuan was joined by Zoom CPO Oded Gal and Lea Kissner, former Global Lead of Privacy Technology at Google who is consulting with Zoom on privacy and encryption, for this week’s session.
Zoom CTO Brendan Ittelson; Max Krohn, Zoom’s Head of Security Engineering; and Lynn Haaland, Zoom Deputy General Counsel, Chief Compliance and Ethics Officer, joined for the Q&A session.
Key takeaways from this week’s session
Facts about Zoom’s encryption
Zoom has used – and continues to use – encryption technology on its platform for all users.
256-bit AES-GCM encryption, which is one of the most secure encryption standards used today, is currently enabled in meetings and is available to all users – both free and paid. A few other things we emphasized:
- Zoom does not provide the government direct and unrestricted access to our users’ data, and we do not provide the government with our encryption keys. Zoom will only provide content in response to valid legal process, such as a search warrant based upon probable cause. More information can be found here.
Zoom’s plan for end-to-end encryption
Zoom announced our intention to create an end-to-end encryption (E2EE) offering on May 7. We released the original cryptographic design May 22 on GitHub for feedback, and Lea said an updated version of the paper will be out soon. E2EE is an important security tool and doing this respectfully at scale for a product like Zoom hasn’t been done. We want to make E2EE widely available and are exploring ways to do so safely.
Product updates — Waiting Rooms & passwords
We have been enhancing our security features over the past couple of months to ensure our users have full control of the platform and their meeting experience. Oded reviewed some of the benefits of using Waiting Rooms and passwords:
In April, we made the change to have Waiting Rooms on by default and require passwords for free Basic and K-12 accounts. Soon we will also require all meetings scheduled under paid accounts to have either the Waiting Room or passwords enabled. The date for this requirement has not yet been set.
Meetings that have been scheduled before the effective date without a password will have waiting rooms enabled by default; however, admins and users can choose to enforce either a password, the Waiting Room, or both. We’ll provide more updates in the coming weeks.
Can I get a report of users on my account who don’t have passwords turned on?
Customers with more than 50 paid licenses can access a report that shows their organization’s scheduled meetings without passwords.
Will participants have to enter a password when entering a meeting?
Meeting passwords are embedded in the meeting invite URL, so if you click on the meeting invite URL, you will not need to enter a password. However, if you join a password-protected meeting by directly entering the meeting ID (and not clicking the link), you’ll have to manually enter the password.
When dialing in by phone, how do passwords work?
Participants joining by phone will enter the meeting using a shorter numeric password, which they can enter using their phone’s keypad.
How do passwords and waiting rooms work on paid accounts for free users?
Any participant, free or paid, who joins a Zoom meeting will have to comply with the paid host’s meeting requirements, which may include a password, waiting room, or both.
When can we expect multi-factor authentication (MFA) to arrive on Zoom?
You can use MFA today through any identity provider (IDP) that supports SAML single sign-on (SSO).
Is Zoom considered HIPAA compliant?
Yes, we can help medical providers enable HIPAA compliance. We offer a number of features that create a HIPAA-compliant environment, including prohibiting recordings and creating business associate agreements (BAA). We designed Zoom for these use cases even before COVID-19. Reach out and we can help you set it up.
Is there a way to protect your webinar content against screen capture software?
Zoom offers watermark features. When you screen share, the participants’ names will have identifying information attached to any screenshot they take, so you can track who leaked the meeting content. We also provide audio watermark capabilities to protect against shadow recording and help identify users who may have shared an audio recording.
When will the 90-day plan end?
The 90-day period ends on July 1st, and our dedication to security and privacy is always a top priority and an integral part of our company’s DNA.
Can we control virtual backgrounds at the account or group level?
We’re adding an option for admin to control which virtual backgrounds are used. The admin can upload pre-approved backgrounds and allow hosts/participants to only use those backgrounds, and we will be developing that feature in the coming weeks.
With Zoom “zooming,” how do you plan to keep your customers happy?
Eric said it ultimately boils down to our company culture, which emphasizes caring for our customers. We remain committed to solving our customers’ business communication challenges, and we take careful action based on feedback to serve and support our customers.
Thank you for your support
Thanks for attending this week’s session, and thank you to everyone who submitted questions! We truly appreciate your support on our journey to make Zoom the world’s most secure enterprise communications platform.
If you missed this week’s session, you can watch the recording here:
Editor’s note: This blog post was edited on Aug. 2, 2021 to include the most up to date information on Zoom encryption and updated language related to government access to information.