SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Zoom buys encryption startup in its first-ever acquisition
Fri, 8th May 2020
FYI, this story is more than a year old

Zoom has today announced its first-ever acquisition - absorbing Keybase, an end-to-end encryption and secure messaging platform.

The video conferencing company's inaugural acquisition indicates its intention to correct its record on privacy and security, which has drawn sharp criticism in the months where its service has seen unprecedented growth during the COVID-19 pandemic.

Terms of the deal were not disclosed.

In a blog post written by Zoom CEO Eric Yuan, the company says it intends to leverage Keybase's deep encryption and security expertise to help Zoom build its own end-to-end encryption.

“This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom's wide variety of uses,” says Yuan.

“Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behaviour on our platform.

“Keybase's experienced team will be a critical part of this mission.

The acquisition represents the latest move by Zoom in its 90-day plan it announced at the beginning of April to improve its security flaws.

In late April, the company announced Zoom 5.0, which provided ‘robust' enhancements to its security and privacy protocols, including industry-standard AES-GCM encryption with 256-bit keys.

Zoom says the acquisition announced today will take privacy further – in the ‘near future', Zoom will offer an end-to-end encrypted meeting mode to all paid accounts.

“Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom's network and can be used to establish trust relationships between meeting attendees,” says Yuan.

“An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees,” he says.

“The cryptographic secrets will be under the control of the host, and the host's client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting.

However, end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems.

Zoom says it will not monitor meeting contents, but its safety team will continue to look for evidence of abusive users.

It also pledges not to build a mechanism to decrypt live meetings for lawful intercept purposes.

Yuan says Zoom does not have a means to insert its employees or others into meetings without being reflected in the participant list, and will not build any cryptographic backdoors to allow for the secret monitoring of meetings.