Update: This post has updated to clarify that Zoom still offers AES 256-bit GCM encryption to all users.
Considering all of the problems Zoom has faced, and all the work the company has had to do to overcome its security concerns, I have to admit this one comes as a surprise. Zoom announced last week that the end-to-end encryption (E2EE) the company is building into the most recent versions of its videoconferencing software will be available only to paying users. That means if you're using a free account to join Zoom meetings, you'll have to do it without that encryption.
If you remember, Zoom added AES 256-bit GCM encryption in May after massive criticism over its security and privacy practices. That criticism included the fact that the company, in some cases, shared information with third parties, didn't encrypt the data transmitted in video meetings, and that the ease with which users could log on and join meetings made them susceptible to attackers.
We even learned a new phrase: Zoombombing--where hackers join a meeting, take over the screen, and share inappropriate material. So, Zoom set out to step up its security, making settings easier to change and control even during a meeting.
Apparently, there are reasons for not making E2EE available on the free plans, mostly related to criminal activity I won't get into too deeply here except to say that there is enough of a problem that Zoom feels the need to respond.
Since that criminal activity--according to Zoom--is usually limited to free accounts, it intends to limit the encryption feature to paid accounts. That would allow the company to turn over information about free accounts when requested by law enforcement.
Setting aside for a moment the part about people's using Zoom to do bad things, and the part about Zoom's basically saying, "If you don't pay for our service, you might be a criminal so we aren't going to give you the same level of security," there's actually a bigger issue worth reviewing. To be clear, I'm not suggesting that companies don't face an extraordinary challenge in balancing the needs of their customers with the ability to prevent their services from being used for illegal purposes.
It's not at all uncommon for companies to release a limited version of a particular software product for free, and then charge users who want access to more advanced features. That model has been around for a while and is used successfully by everything from online publications to SaaS software. The question, at least in my mind, is whether privacy and security should be considered upgraded features.
This matters to every business for two reasons.
The first is obvious. If you're one of the millions of people who are using Zoom for connecting with your team, teaching piano lessons or exercise classes, or meeting with your board, how the company handles security is a pretty big deal. If you aren't using a paid Zoom account, your information (and your company's) will be at greater risk. It's that simple.
The other reason is that there's a good chance that you have to make the same decisions in your business. Every product requires making choices about how to address your customers' needs, what features to include, and which to charge for. How you make those decisions says a lot about what you believe about your customers' experience.
That isn't to say that those aren't sometimes difficult choices, but there are some basic expectations that customers have when they use your product or service. I think privacy is one of those expectations. Zoom should too.