Zoom Acquires Keybase and Announces Goal of Developing the Most Broadly Used Enterprise End-to-End Encryption Offering
We are proud to announce the acquisition of Keybase, another milestone in Zoom’s 90-day plan to further strengthen the security of our video communications platform. Since its launch in 2014, Keybase’s team of exceptional engineers has built a secure messaging and file-sharing service leveraging their deep encryption and security expertise. We are excited to integrate Keybase’s team into the Zoom family to help us build end-to-end encryption that can reach current Zoom scalability.
This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses. Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform. Keybase’s experienced team will be a critical part of this mission.
Zoom Encryption Today
Today, audio and video content flowing between Zoom clients (e.g., Zoom Rooms, laptop computers, and smartphones running the Zoom app) is encrypted at each sending client device. It is not decrypted until it reaches the recipients’ devices. With the recent Zoom 5.0 release, Zoom clients now support encrypting content using industry-standard AES-GCM with 256-bit keys. However, the encryption keys for each meeting are generated by Zoom’s servers. Additionally, some features that are widely used by Zoom clients, such as support for attendees to call into a phone bridge or use in-room meeting systems offered by other companies, will always require Zoom to keep some encryption keys in the cloud. However, for hosts who seek to prioritize privacy over compatibility, we will create a new solution.
The Near Future
Zoom will offer an end-to-end encrypted meeting mode to all accounts. Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees. The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting. We are also investigating mechanisms that would allow enterprise users to provide additional levels of authentication.
These end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems. Zoom Rooms and Zoom Phone participants will be able to attend if explicitly allowed by the host. Encryption keys will be tightly controlled by the host, who will admit attendees. We believe this will provide equivalent or better security than existing consumer end-to-end encrypted messaging platforms, but with the video quality and scale that has made Zoom the choice of over 300 million daily meeting participants, including those at some of the world’s largest enterprises.
As we do this work to further protect our users’ privacy, we are also cognizant of our desire to prevent the use of Zoom’s products to cause harm. To that end, we will be taking the following steps:
- We will continue to work with users to enhance the reporting mechanisms available to meeting hosts to report unwanted and disruptive attendees.
- Zoom does not and will not proactively monitor meeting contents, but our trust and safety team will continue to use automated tools to look for evidence of abusive users based upon other available data.
- Zoom has not and will not build a mechanism to decrypt live meetings for lawful intercept purposes.
- We also do not have a means to insert our employees or others into meetings without being reflected in the participant list. We will not build any cryptographic backdoors to allow for the secret monitoring of meetings.
We are committed to remaining transparent and open as we build our end-to-end encryption offering. We plan to publish a detailed draft cryptographic design on Friday, May 22. We will then host discussion sections with civil society, cryptographic experts, and customers to share more details and solicit feedback. Once we have assessed this feedback for integration into a final design, we will announce our engineering milestones and goals for deploying to Zoom users.
We look forward to welcoming the Keybase team and are excited for the possibilities of what we can build together.
This communication contains express and implied “forward-looking statements” within the meaning of the Private Securities Litigation Reform Act of 1995 related to Zoom’s acquisition of Keybase that involves substantial risks, uncertainties and assumptions that could cause actual results to differ materially from those expressed or implied by such statements. Forward-looking statements in this communication include, among other things, statements about the potential benefits of the transaction, our development of our end-to-end encryption offering, our ability to integrate the Keybase team, and potential growth opportunities. In some cases, you can identify forward-looking statements by terms such as “anticipate,” “believe,” “estimate,” “expect,” “intend,” “may,” “might,” “plan,” “project,” “will,” “would,” “should,” “could,” “can,” “predict,” “potential,” “target,” “explore,” “continue,” or the negative of these terms, and similar expressions intended to identify forward-looking statements. However, not all forward-looking statements contain these identifying words. By their nature, these statements are subject to numerous uncertainties and risks, including factors beyond our control, that could cause actual results, performance or achievement to differ materially and adversely from those anticipated or implied in the statements. These assumptions, uncertainties and risks include that, among others, the possibility that the anticipated benefits of the transaction are not realized when expected or at all, division of management’s attention from ongoing business operations and opportunities, potential adverse reactions or changes to business or employee relationships, the ability to integrate Keybase successfully, and other factors that may affect future results of Zoom. Additional risks and uncertainties that could cause actual outcomes and results to differ materially from those contemplated by the forward-looking statements are included under the caption “Risk Factors” and elsewhere in our most recent filings with the Securities and Exchange Commission (the “SEC”), including our annual report on Form 10-K for the year ended January 31, 2020. Forward-looking statements speak only as of the date the statements are made and are based on information available to Zoom at the time those statements are made and/or management’s good faith belief as of that time with respect to future events. Zoom assumes no obligation to update forward-looking statements to reflect events or circumstances after the date they were made, except as required by law.
Editors note 6/19/20: We removed the word paid from the sentence in this blog “Zoom will offer an end-to-end encrypted meeting mode to all paid accounts.” Zoom has decided to offer E2EE to all of our users – free and paid. Please see our June 17, 2020 blog post for more information.