
Zoom plans to roll out strong encryption for paying customers - infodocket
https://www.reuters.com/article/us-zoom-encryption-exclusive/exclusive-zoom-plans-to-roll-out-strong-encryption-for-paying-customers-only-idUSKBN23600L
======
code4tee
This may not be nice or demonstrating customer obsession but it is probably a
good way for them to make money with business customers.

For better or worse Zoom has obtained “iPhone status” in corporate IT.

What killed the Blackberry was when decision makers had a personal iPhone and
a work Blackberry and they finally turn up in the head of IT’s office and say
“hey these things you’re making us use really suck, please just make it so we
can use these iPhones which are soooo much better.”

I see exactly the same thing happening now with Zoom. I see IT types saying
“but encryption” yadda yadda yadda and decision makers tuning up saying:

“This conferencing software you’re forcing us to use really stinks. I had a
meeting with our soccer parents group on Zoom and it was so much better.
Please switch us to this.”

A product that reaches that status stands to really disrupt the enterprise if
they’re smart and take advantage of it.

~~~
ta17711771
Who uses Jitsi and Zoom and still wants Zoom? Fuck's sake, our industry is in
trouble.

~~~
jedieaston
Jitsi doesn't perform as well as Zoom for a ton of people, and most people
outside of tech circles haven't heard of it. It's a miracle people are using
Zoom instead of webex or Teams/Lync, honestly, since those have both been
around forever.

~~~
ta17711771
Perform in what way?

WebEx over Jitsi?! I must be missing something huge, here.

------
chii
Not a bad way to entice business customers to pay.

I rather zoom become a product that earns money by providing value to
customers, rather than having the "customer" as the product like google's
offerings.

~~~
deltron3030
Why does one exclude the other? Given their history they might demand money
and sell your data.

~~~
darkerside
What history?

~~~
deltron3030
Their recent history, where security and privacy was an afterthought.

~~~
darkerside
I would argue that cutting corners when it comes to data protection in favor
of feature development is a very different tradeoff than intentionally
building a monetization strategy around selling said data.

------
surround
> Gennie Gebhart, a researcher with the Electronic Frontier Foundation who was
> on Thursday’s call, said she hoped Zoom would change course and offer
> protected video more widely.

> But Jon Callas, a technology fellow of the American Civil Liberties Union,
> said the strategy seemed a reasonable compromise.

> Safety experts and law enforcement have warned that sexual predators and
> other criminals are increasingly using encrypted communications to avoid
> detection.

> “Those of us who are doing secure communication believe we need to do things
> about the real horrible stuff,” said Callas, who previously sold paid
> encryption services

Why do people still believe that preventing civilians from using encryption is
going to stop criminals? Is there a name for this fallacy?

What does Zoom’s premium subscription offer? Jitsi supports unlimited
participants and runtime for free, and soon E2E encryption.

~~~
lonelappde
This is horrific. The surveillance state has infiltrated ACLU. How is such a
brazenly anti-liberty person tolerated at the ACLU?

Even if you take his perspective, why is child porn OK in the enterprise?!
Especially after Jeffrey Epstein?!

~~~
colejohnson66
The ACLU is not a singular entity with the same thought; it’s a collection of
people, and people have different opinions on things.

I’m reminded of when the ACLU defended a white supremacist and many were
upset, even to the point of leaving the ACLU.

------
3guk
Doesn't seem like a particularly bad idea to me - I'd much rather they were
making money from paying corporate customers, rather than making money selling
users data....

I highly suspect the vast majority of home users, who are using Zoom to host
weekly quiz nights with friends, particularly care about strong encryption....

~~~
__s
Tim Cook had it right with "Security isn't a feature"

I'll liken it to healthcare despite the US not figuring this out yet.
Healthcare for all helps everyone, which consequently is a value creating
proposition. The fallout from a lack of healthcare negatively impacts the rich
in the longterm

When security is widespread, everyone benefits. A culture which make security
default off is one that throws everyone under the bus for nickles & dimes. You
don't vaccinate only 10% of the population

~~~
qzw
While I agree with your overall point, it’s worth pointing out that Apple
doesn’t really do a lot of freemium stuff, so Cook’s comment should be taken
in the context of having nearly all customers who have already paid up.

~~~
lonelappde
Free users should get time-budgets or group size limits or video resolution
limits, not be spied on.

~~~
dijksterhuis
This is exactly what free users get when using zoom.

Up to 3 people in a meeting is unlimited. Over 3 is limited to 40ish minutes.

The Facebook pixel SDK etc etc stuff you're probably thinking of got removed
from recently updated clients. Check out their privacy policy to have a look
at the actual data they retain from actual meetings. it's fairly limited and
only to do with account management / meeting management from what I recall.

------
karmakaze
The title should say 'full/end-to-end' rather than 'strong'.

It's not about how hard it is to break but rather where it's encrypted/not.

------
velcro
Not unlike what Slack is doing with data residency controls - only available
for Plus and Enterprise plans.

~~~
james_pm
Slack is worse. If you don't pay, not only do they not give you access to >10k
messages, but they still store those messages and don't allow you to do things
like delete them.

~~~
Hamuko
> _and don 't allow you to do things like delete them._

How does that work with GDPR?

~~~
Turbots
It doesn't. Big companies who want to be gdpr compliant buy enterprise Slack
and force slack to store the data in European datacenters. Slack doesn't give
a shit about gdpr if you're not paying

~~~
nicoburns
Doesn't that make Slack themselves non-compliant?

~~~
smueller1234
It probably does. But it requires someone to pick the battle (a customer or an
enforcement agency on their own) to get it enforced.

------
okkaa
Another thing you need to know. Zoom will charge you automatically next year,
you have to cancel the subscription by yourself. What is disgusting is that
the menu is hidden in the zoom webportal! I think 99.99% of the customers
don't know it will renew(charge again) automatically and don't know how to
cancel it.

~~~
detaro
Which service that gives "$X per year"/"$Y per month" pricing _doesn 't_
automatically renew? And at least for me, it clearly shows "$X billed today,
recurring yearly/monthly payment $X" when going to order a subscription?

~~~
okkaa
Zoom has no option to turn off Automatic Renewal

~~~
detaro
You can cancel and your subscription will keep running until the end date when
it otherwise would renew. Exactly the same as Spotify, Netflix, and the
majority of other subscription services that "99,99%" of customers likely are
familiar with.

~~~
okkaa
Can you find the cancel subscription from the Zoom webportal? It is hidden!

~~~
dijksterhuis
Web portal > account/profile > account settings > billing

Then there's an orange "add/edit subscription" link and a "cancel
subscription" link.

The process is well documented in an article on their help centre.

A simple DuckDuckGo search brings up the help centre article as one of the
first results.

------
OJFord
404 currently so I haven't read it, but that acqui-hired Keybase team is
surely leaving... Its motto was literally _[double-checks]_ 'crypto for
everyone'.

It may not be related, but the homepage now instead has phrases like 'for
things that matter', and the slogan at the bottom is 'because safety first'. I
can't be certain, but I think it said 'for everyone' on the site too, not just
app-stores pre-Zoom.

It's a real shame, but I did start my de-Keybasing yesterday. Making it
profitable without losing the acqui-hired team would obviously be best for
users, but I think most likely is axing it, followed by butchering it into a
niche security nerd product without the interest or direction of the original
team.

------
midnitewarrior
Bad move.

Zoom will still get hacked if the minimum security isn't enough, then they
will have to blame their potential customers for their own problems while
their brand is smeared.

------
thejynxed
Zoom is for people who don't mind kids organizing raids to plaster their
meetings with hardcore gay porn and images of tubgirl.

------
polote
Why did you have to add the 'only' word to the title, the original title
doesn't contain it? That transforms your title from informative to an opinion

~~~
cwhiz
It’s a statement of fact and included in the article itself.

~~~
darkerside
Facts are facts. Choosing which facts are relevant is an opinion.
Editorializing doesn't mean creating fiction.

Edit: It's so odd what gets downvoted sometimes. Anyone care to enlighten me
on what could be controversial about my statement?

~~~
dang
Please don't complain about downvotes. It breaks the site guidelines:
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html),
not least because users frequently give corrective upvotes
([https://hn.algolia.com/?query=corrective%20upvote&dateRange=...](https://hn.algolia.com/?query=corrective%20upvote&dateRange=all&page=0&prefix=true&sort=byDate&type=comment)),
which leaves the complaint as uncollected garbage in the thread.

------
rshnotsecure
Zoom I've always thought must have pretty strong security if configured
correctly (obviously that's a big if) It is currentLy in use by the Chinese
Academy of Sciences (CAS). CAS is sort of like a mix of NSF, NIH, and DARPA
all rolled into one. About 20% of their research supports the People's
Liberation Army (PLA) for things like encryption research, so I assume they
know what they're doing.

This is technically a white label I guess you would say, but if you download
the code, a majority of the files begin with the prefix Zoom and what not:
[https://cc.cstcloud.cn](https://cc.cstcloud.cn)

~~~
tialaramex
Why have you thought that? The actual security of the system has been
dissected already.

They took RTP and just encrypted the data with ECB mode, using the same keys
on every node. It's what a child would do, or somebody who either didn't know
or didn't care to do better.

Well over a decade ago the _standard_ way to do that (named SRTP following the
usual convention) uses a counter mode instead of ECB, with separate keys on
each node. That's still pretty poor, but it's like SRTP is a Yale lock and
what Zoom chose to do is use one of those "handcuff key" locks that's just a
single lever. Can a specialist open that Yale lock? Yeah, probably in a minute
or two, with the right tools - but any idiot can open the handcuff key lock
with a bent twig, it's not security it's the barest effort to not just emit
plaintext.

