Zoom to add end-to-end encryption with Keybase acquisition
Zoom has acquired secure messaging and identity management firm Keybase as its looks to shore up security capabilities on its platform with end-to-end encryption.
The acquisition will give Zoom access to Keybase’s encryption technology, used to secure online identities, as well as its team of engineers. Launched in 2014, Keybase lets users encrypt social media messages and shared files with public key encryption to ensure that communications stay private.
Keybase’s cofounder Max Krohn will now head up Zoom’s security team, Zoom said. Krohn’s new role was first detailed by CNBC.
The purchase marks a key step for Zoom as it aims to create a “truly private” video communications platform “that can scale to hundreds of millions of participants,” Zoom CEO Eric Yuan said in a blog post.
“Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform,” Yuan wrote. “Keybase’s experienced team will be a critical part of this mission.”
Zoom has come under fire in recent months, as use surged in the wake of the Covid-19 crisis, highlighting a number of security and privacy weaknesses. It has also faced criticism for overstating its end-to-end encryption features, and subsequently apologised for “confusion” around its definition of the technology.
Not surprisingly, rivals such as Microsoft, Google and Cisco have attempted to capitalize on Zoom’s travails by highlighting the security of their own video platforms.
In recent weeks, the company unfurled a 90-day strategy to address security concerns, with measures including the hiring of Alex Stamos, the former Facebook CSO, as a security consultant to CEO Eric Yuan. Zoom also instituted a development freeze on non-security product features.
Now, the plan is to incorporate Keybase’s technology to provide full end-to-end encryption for its platform.
Currently, audio and video data sent over Zoom is encrypted as it is sent out before being decrypted on the receiving end. Though Zoom upgraded to 256-bit encryption with the launch of Zoom 5.0 last month, these keys are still generated at Zoom’s servers.
Going forward, Zoom plans to make full end-to-end encryption available as an option to all paid customers. In this case, encryption keys will be generated by the meeting host, meaning that even Zoom will not be able to view data sent over its network. However, it will to continue to generate keys on its own servers where necessary – for example for users that want to call into a third-party room meeting system or use features such as cloud recording.
“Incorporating Keybase’s encryption mechanism will allow Zoom to offer something that hasn’t been done before, presuming the technologies can be properly integrated,” said Gartner senior director analyst Steve Riley. “The result, multiparty end-to-end encryption controlled by the meeting host, will shield participants from eavesdropping by anyone, including Zoom.”
Along with improved default security settings designed to reduce the chance of customer misconfiguration, the integration of Keybase’s technology “might very well set a new standard for private conversations,” said Riley.
Zoom now aims to publish a draft of its planned cryptographic design on 22 May, before hosting discussions with industry experts and customers. This is a “necessary step toward improved transparency,” said Riley. “Zoom should go further, though, and work toward obtaining independent third-party attestations increasingly common for cloud-provided applications,” he said.
Overall, Zoom should get credit for how it has addressed its security issues, said Riley; the acquisition of Keybase is yet another example of how it is taking customer concerns seriously.
“As Zoom strives to gain traction in the enterprise market for video conferencing and collaboration platforms, a strong security posture is critical,” he said. “In a short amount of time, Zoom has been the subject of more scrutiny than most other conferencing tools.
“It’s impressive that Zoom didn’t try to deflect attention away from their problems but instead admitted that they need to do better and quickly remediated many of them,” Riley said.
IDG News Service