Zoom went from an obscure teleconferencing company to a household word (a verb) when the pandemic hit. Zoom wasn’t the best videoconferencing app by any means. It lacked many key features like true end-to-end encryption and had some serious data oversharing problems. But Zoom was dead simple to use and kinda fun to say. For better or worse, it became the de facto tool for many of us to keep in touch.
That was eight months ago. (Feels like eight years.) Over that time, Zoom has made many important improvements. This week it has finally rolled out what appears to be true end-to-end encryption (E2EE). So I thought it would be good to talk about what this means and how to set it up.
What Does End-To-End Encryption Mean?
Encryption is the process of scrambling something such that no one else can read, see or hear it (depending on what you’re encrypting). Decryption reverses this scrambling to get back the original file, video or audio. A single cryptographic algorithm (a fancy name for a mathematical process) is responsible for both encryption and decryption. The process itself isn’t a secret, which allows it to be vetted by lots of really smart people. The secrecy depends entirely on a key – basically, a glorified password. As long as this key is kept safe and secret, the scrambling is effectively irreversible.
But saying something is “encrypted” isn’t sufficient for true privacy. Let’s take Alice and Bob as an example. They’ve set up a Zoom call and Zoom says that it’s encrypted. Prior to this new E2EE feature, what “encrypted” really meant was that the video was scrambled between Alice and Zoom, and between Zoom and Bob, but not while it traversed Zoom’s servers. Zoom could view it. So end-to-end encryption means that the video stream is encrypted the entire way, even as it passes through Zoom’s servers.
Who Holds the Key?
But that’s still not good enough, if you want full privacy. Because if Zoom has access to the encryption key, then they can still use that key to decrypt your meeting (possibly much later, if the video is saved). Zoom now offers both options: “Enhanced encryption”, where Zoom controls and holds the key, and “End-to-end encryption”, where only Alice and Bob (or rather their smartphones or computers) hold the key.
In truth, you’re still trusting that Zoom isn’t somehow able to access the key (accidentally or maliciously). That’s why open source tools like Signal and Jitsi are still preferable, if you need to be really sure. But for most people, Zoom is fine.
Setting Up E2EE on Zoom
In order to enable E2EE on Zoom, you’ll need to first enable the feature on your account settings. (And if you don’t have an account, you’ll need to create one.) Look for “Allow use of end-to-end encryption” and enable it, like below.
You should then make sure you have the latest version of Zoom installed (this feature requires that you use the computer or smartphone app). If you have the latest version, you might want to restart it after changing the above setting to make sure that your client is in sync with your account settings.
There are two main ways to launch a Zoom call, and each has a slightly different way to enable E2EE.
- New Meeting. This is an “immediate meeting” which uses your “personal meeting room”. Under “New Meeting” menu, under your personal meeting ID (PMI), go to PMI Settings.
- Scheduled Meeting. Click the “Schedule” button.
In both cases, you should now see something like the following. Select “End-to-end encryption” under Security.
Note that all participants must have E2EE enabled on their accounts for this to work (first step above). See this Zoom E2EE FAQ for details.
When this is done correctly, you’ll see the following at the upper left of your meeting window (click the green shield icon). Under “Encryption” you should see “End-to-end”.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!