90-Day Security Plan Progress Report: June 3
As we continue on our 90-day plan to improve the security and privacy of our platform, this week’s “Ask Eric Anything” webinar focused on recent product security updates, including the successful rollout of Zoom 5.0 and GCM encryption for real-time content enablement on every free and paid Zoom account.
Zoom CEO Eric S. Yuan was joined by Zoom CPO Oded Gal for this week’s session. Zoom CTO Brendan Ittelson; Lea Kissner, former Global Lead of Privacy Technology at Google who is consulting with Zoom on privacy and encryption; Max Krohn, Head of Security Engineering at Zoom; and Lynn Haaland, Zoom Deputy General Counsel, Chief Compliance and Ethics Officer, joined for the Q&A session.
Zoom platform highlights from last month:
Updates from the past week and upcoming plans over the next few weeks:
Key takeaways from this week’s session
Zoom is now GCM encrypted
One of the most impactful changes we’ve made to date is Zoom 5.0, which supports 256-bit AES-GCM encryptionfor real-time content, one of the most secure encryption standards used today. This encryption was enabled for all accounts on May 30 and is now available to all users — free and paid.
End-to-end encryption design
We continue to implement our end-to-end encryption design phases. We released our draft design Friday, May 22, on GitHub and are in the process of hosting discussions with cryptographic experts, nonprofits, advocacy groups, customers, and others to share more details and solicit feedback for the final design. Once we have assessed this feedback for integration into a final design, we will announce our engineering milestones and goals for deploying an end-to-end encryption offering for Zoom users.
Here are some of the webinar attendee questions (and summarized answers) that were addressed live this week:
Why are we adding an option for owners/admins to manage virtual backgrounds?
Account admins were asking for more control over what their users can upload as virtual backgrounds, so we’re working to offer the ability for admins to upload a set of pre-approved backgrounds.
Any plans to add multi-factor authentication (MFA)?
Most of our enterprise customers use some form of MFA through single sign-on (SSO) providers like Okta and OneLogin to access Zoom. We plan to add MFA options for free and Pro users in the future.
Can you share best practices for hosting large public meetings?
We recommend using the webinar solution, which allows you to better control who can speak and present. Learn more in our meetings vs. webinars support article. If you require a meeting with everyone on video and audio, then best practice would be to create registrations for the meeting, turn on passwords and the Waiting Room, and only allow the host or co-hosts the ability to share their screen.
Will Zoom 5.0 affect participants without a Zoom account that wish to join?
You do not need a Zoom account to join a meeting if invited. Even on Zoom 5.0 or later, anyone can join a Zoom meeting without a Zoom account. If you have an account and are still on a pre-5.0 version, you’ll be prompted to update before you can join.
Does the webinar solution also use GCM encryption?
Yes, it’s the same 256-bit AES-GCM encryption for our meeting and webinar products.
What are your expectations for the last 30 days of the 90-day plan?
We will continue raising the bar on security, privacy, and safety for the Zoom community and build on these efforts for the future. Some short-term goals include using feedback to build out our end-to-end encryption offering, additional password enhancements, more UI updates, and continued efforts to address meeting disruptions.
What happens when the 90-day plan is over?
The conclusion of the 90-day plan doesn’t mean our security/privacy efforts end. Far from it. User privacy and security will continue to be our focus going forward, and Zoom will continue to develop the most secure and frictionless video communication solution for our customers.
Thank you for your support
Thanks for attending this week’s session, and thank you to everyone who submitted questions! We truly appreciate your support on our journey to make Zoom the world’s most secure enterprise communications platform.
If you missed this week’s session, you can watch the recording here:
To give your feedback or to ask Zoom a question, send an email to firstname.lastname@example.org. And be sure to sign up for next week’s “Ask Eric Anything” webinar.
Editor’s note: This blog post was edited on Aug. 2, 2021 to include the most up to date information on Zoom encryption.