Skip to main content
banner image
venafi logo

Zoom Delivers End-to-End Encryption for All [Encryption Digest 43]

Zoom Delivers End-to-End Encryption for All [Encryption Digest 43]

zoom delivers end to end encryption
June 25, 2020 | Katrina Dobieski

 

In this article:

  • Zoom implements across the board encryption for all users
  • Bruce Schneier and others write a letter to Puerto Rico – “Please, no electronic voting”
  • What can California companies do to prepare for CCPA?
     

Zoom looks to implement an end-to-end encryption strategy for all users, not just those with paid subscriptions. Before, those who choose not to pay could remain on the unencrypted version. But the people have spoken, and they demand privacy for all. In other news, maybe a paid model (if there were one) would be best if it could provide a truly safe online voting experience for Puerto Rico. Currently, security expert Bruce Schneier and a host of others have signed their names to a letter explaining the intricacies of electronic voting and how such an idea might outstrip the security of its time. In short? We’re not ready. Find out what else we’re preparing for and how, as California companies find compliance with CCPA and what the best options are for covering your assets. Within the new paradigm of a work from home culture, encrypting everything has never been more vital. The challenge in the coming months will be to figure out just how we do so.

 

 

Zoom Delivers End-to-End Encryption for All

Encryption is valuable enough that many of us are willing to pay for it. I pay a nominal fee for an encrypted email host. Another small fee goes to using an encrypted cloud storage provider. In the future, I may continue to pay for further encrypted assets to protect my digital identity, which increasingly reflects my actual identity. It’s a trend, and for a private person, privacy is a premium.
 

Zoom also recently attempted to put a price on that privacy, offering end-to-end encryption only to paid subscribers.  
 

I get it. The resources and additional assets involved in fully encrypting any platform are not insignificant, and so for practical reasons, a fair price for a fair trade may be expected. However, with privacy being a key selling point, many other companies had been previously willing to add E2EE just to up their market value. Look at Facebook’s broad sweeping announcement last year to fully encrypt all platforms in their whole. Even though that plan has been put on pause, the larger point still stands that encryption is a valuable enough resource to be commoditized.
 

Zoom sparked a wide backlash when the company announced that it would leave its free option unencrypted according to the logic that doing so will allow law enforcement to easily access Zoom criminals online.
 

“Free users for sure we don’t want to give [end-to-end encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” reported Zoom CEO Eric Yuan.
 

While a laudable aim, practically speaking it remains to be seen how many baddies were left on “free Zoom” after this announcement. Seeing as the government already has crypto experts and crack teams devoted to this sort of thing, the answer is no, not likely. If they want to catch a criminal, they can. But that didn’t mean that all free Zoomers should have their data exposed to whoever else might be out there.
 

Encryption is not touchy-feely, idealistic or full of altruism, but it is practical. And, compared with the ugly alternative, extending encryption to all users may have been a privacy pill well worth swallowing for Zoom.  
 

Related Posts:

 

 

Bruce Schneier to Puerto Rico Online Voting: Please Don’t 

What makes voting work? The fact that the ballot is A) Anonymous—no repercussions for how you decide, B) Secure—what you mark down stays that way, and C) Submitted—your ballot actually gets in. According to Bruce Schneier, the ACLU and everyone else who wrote this letter, online voting could undermine all of that. And Puerto Rico is well on its way.
 

Notes Schneier on his blog, “under current technology, no practically proven method exists to securely, verifiably, or privately return voted materials over the internet.”
 

He goes on to explain, “That means that votes could be manipulated or deleted on the voter's computer without the voter's knowledge, local elections officials cannot verify that the voter's ballot reflects the voter's intent, and the voter's selections could be traceable back to the individual voter.”
 

In addition to being just bad practice, the whole thing could also be illegal. Without those protections (our “A” “B” and “C”), the right to a secret ballot—a provision accounted for in Puerto Rico’s Constitution—could be violated.
 

Apparently, the US Federal government barked up the same tree, only to be repelled by NIST’s findings at the top. According to NIST,
 

“The study concluded that Internet voting systems cannot currently be audited with a comparable level of confidence in the audit results as those for polling place systems.  Malware on voters’ personal computers poses a serious threat that could compromise the secrecy or integrity of voters’ ballots. And, the United States currently lacks a public infrastructure for secure electronic voter authentication. Therefore, NIST’s research results indicate that additional research and development is needed to overcome these challenges before secure Internet voting will be feasible.”
 

The letter argued that “no such system is commercially available” and that developing such a system on their own would be “prohibitively expensive”.
 

The letter is an open call to the government of Puerto Rico to stand down where electronic voting is concerned. The risks are too high, the gains too little, the possibility of guaranteeing the right to a secure ballot nonexistent with current technology. And, although no election method has ever been faultless, the argument seems to be—you could do a lot better than this.
 

We’ll see if the Puerto Rican government agrees.
 

Related Posts:

 

 

California companies might need encryption overhaul to comply with CCPA

California has a lot. A lot of palm trees, a lot of Boba shops, a lot of drivers, a lot of data breaches. And now, a lot of legislation that aims to take breaches off the list. However, to adhere to the California Consumer Privacy Act (CCPA) without using encryption would be like serving Boba without the tapioca. Impossible.

Your business could go under with a CCPA infraction

In Europe, GDPR can only fine for 4% of global turnover, securing your organization in the event of a data disaster. However, the CCPA has no such limit caps, making your business potentially liable for the full amount of damages, regardless of ability to pay.
 

By encrypting the consumer data under your control, you protect yourself against the private right of action under CCPA. Encrypting ensures you’ve done your due diligence and liability will be mitigated accordingly.
 

California is also privacy-forward in that it has a data breach notification law, known as Data Security Breach Reporting. By encrypting your data, you also limit how much you’re required to report when a breach occurs, as again, diligence on the front-end limits responsibility down the pipe.

Encryption is the lock on the register

Aside from legal sidestepping, fully securing your consumers’ confidential information through end-to-end encryption not only protects your reputational and financial assets, but ensures attackers have less vectors from which to penetrate your network. You don’t want a data breach hitting the news and blindsiding your organization when a few drops of prevention would do. You don’t want to be crushed by compliance lawsuits when finding easily accessible E2EE assets were available within the year’s IT budget.
 

Nobody wants to spend all their resources selling the inventory only to leave the lock off the register. More than “a way,” encryption is “the way” California companies are expected to secure consumer data and adhere to consumer privacy laws. Hopefully, one day soon California will be able to add more “a lot” to the list: encrypted consumer assets.
 

Related Posts:

 

Like this blog? We think you will love this.
microsoft-office-macro-ban-backtrack
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more