If you don’t know, Zoom acquired Keybase and it says it plans to do many things with Zoom (not much is discussed right now with Keybase). I’ll let you read the CNBC, Zoom blog, and Keybase blog if you want exact details, but I’m going to try and summarize what may be happening and what my thoughts (both good and bad) are on this.
“We are excited to integrate Keybase’s team into the Zoom family to help us build end-to-end encryption that can reach current Zoom scalability.” Basically we are glad to finally be able to do some encryption by using a small company (according to LinkedIn about 16 people work for Keybase) that most privacy enthusiasts know and use, and we hope to work them to the bone to get this done at some point. Most regular users don’t care about this and for some it won’t be easy and some will still have concerns about Zoom. Of course you can say this will happen but until it is actually done nobody can be sure.
“When Keybase is implemented, the Zoom user who schedules a meeting will be able to choose end-to-end encryption. That setting will prevent anyone from calling in by phone, which is one way people can access meetings, and will disable cloud-based recording of the chat.” Again this is great for anyone who is privacy conscious and wants to be sure nobody else can know about their calls, but then again this isn’t 100% bullet proof and may in fact hinder some users because some host will turn on encryption and then someone who calls in by phone won’t be able to join.
“Zoom will offer an end-to-end encrypted meeting mode to all paid accounts”. Knew there would be a catch, basically if you’re on a free account we don’t care about you or your privacy. They don’t say at this time if free users will get end-to-end encrypted meeting mode but it is unlikely.
“As we do this work to further protect our users’ privacy, we are also cognizant of our desire to prevent the use of Zoom’s products to cause harm. To that end, we will be taking the following steps:
Zoom does not and will not proactively monitor meeting contents, but our trust and safety team will continue to use automated tools to look for evidence of abusive users based upon other available data.
Zoom has not and will not build a mechanism to decrypt live meetings for lawful intercept purposes.
We also do not have a means to insert our employees or others into meetings without being reflected in the participant list. We will not build any cryptographic backdoors to allow for the secret monitoring of meetings.”
This is interesting to read, because you can say this all you want but if the NSA or another American government entity comes to Zoom’s front door and want to do any of those things they have to comply (since Zoom is an American company) but some companies like Apple have said the government can’t force them to. If they don’t comply then they could be forced to or they could shut down (either the US government could force them down, or they could voluntarily shut down like Lavabit did).
In doing the researching for this post I also found out that Keybase never had a plan to make money (according to an interview the CEO gave in October 2019) so getting acquired was the only way to actually make money. Keybase also raised around $10.8 million (according to Crunchbase) so it had to make money in someway and getting acquired is the easiest way for them. They could have also been basically forced by their investors to get acquired so the investors make their money back.
I do hope Zoom is getting better security in the long-term, but I hope it doesn’t stop developing Keybase and I hope it cares about those users who call-in or use other features that may make it less secure.
Horst Gutmann’s thoughts on this topic
I’m publishing this as part of 100 Days To Offload. I won’t be posting everyday but you can join in yourself by learning more and visiting https://100daystooffload.com/.