makspogonii - Fotolia
Zoom is working on a plan to give its largest customers control over the keys used to encrypt and decrypt their video communications. The company expects to release more details on the effort in the coming weeks, although it's unclear how soon the feature could launch.
The move is part of a broader effort by Zoom to make its video conferencing platform more secure. The vendor faces numerous class-action lawsuits over recently revealed deficiencies in its security and privacy practices. The suits include allegations that Zoom overstated how well it encrypts data.
Only businesses that pay for Zoom's top subscription tier would have access to encryption key management. Companies with thousands of employees typically use the so-called enterprise tier. Oded Gal, Zoom's chief product officer, discussed the blueprint for key management in an interview Wednesday.
By controlling encryption keys, customers wouldn't have to worry about Zoom giving law enforcement agencies access to their data. The setup would also prevent the vendor's employees from snooping on communications. However, Zoom has said it has no technical means to do so. Zoom's largest rival, Cisco Webex, already offers customers control of encryption keys.
The key management feature would effectively make Zoom "end-to-end encrypted" in some scenarios. Zoom previously claimed to rely on that method of encryption for video meetings. But security experts challenged the claim, forcing the company to apologize earlier this month for causing confusion.
Zoom acknowledged it was not using the commonly understood definition of end-to-end encryption, which requires that only users have access to encryption keys. Customers and investors are now suing Zoom for making those claims in marketing materials and regulatory filings.
Zoom is taking several other steps to improve security. It will soon implement a new encryption mode called GCM. The method is considered more secure than the one Zoom is using today, ECB. The change will begin rolling out this month and take effect for all users by May 30.
Zoom also recently made changes to ensure that it uses only AES 256-bit encryption keys. Previously, the service sometimes relied on less sophisticated 128-bit keys, a weakness highlighted in a report by researchers at the University of Toronto's Citizen Lab.
Also, Zoom will let paid customers place geographic restrictions on the servers to which their video traffic gets routed. Businesses can opt out of specific data center locations. However, that may cause users to lag when joining meetings from those regions.
What's more, Zoom won't route any traffic to China unless paid customers opt in to using data centers there by April 25. The company wants to allay concerns raised after it admitted that it mistakenly routed some calls through China even when participants weren't based there.
On April 1, Zoom announced it would devote all engineering resources to boosting security and privacy over the next 90 days. The move came as numerous school districts, businesses and governments banned the use of Zoom because of security lapses.
Most recently, Bank of America, German carmaker Daimler, and technology firms NXP Semiconductors and Ericsson prohibited or restricted the use of Zoom, Bloomberg reported this week.
Nevertheless, Zoom is still adding users at a record pace. The vendor's daily tally of meeting participants rose to 300 million in April from 200 million in March. That's up from 10 million in December.