In a move that will help the company address the growing security concern about its collaboration platform, Zoom Video Communications has announced that it is acquiring a secure messaging platform and start-up Keybase.
The acquisition will accelerate Zoom’s plan to build end-to-end encryption that can reach the current Zoom scalability.
Founded in 2014, Keybase offers end-to-end encrypted chat, file-sharing, and code-hosting based on a cryptographic platform and across multiple devices, and large, dynamic teams.
Announcing this through his blog post Zoom founder and CEO Eric Yuan said, “We are proud to announce the acquisition of Keybase, another milestone in Zoom’s 90-day plan to further strengthen the security of our video communications platform.”
Yuan further said that the acquisition will help Zoom create a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses.
“Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform,” he stated, adding that Keybase brings in deep encryption and security expertise to Zoom.
Riding on top of the work-from-home wave during the current COVID-19 crisis, Zoom found itself on top in the video-conferencing and collaboration platform space, up from an average of 10 million users per day in December 2019 to 300 million by April 2020.
However, the company also faced a lot of flak as the sudden increase in volume also exposed its security vulnerabilities, including Zoombombing, with Germany, Singapore, and Taiwan banning its use, and India’s Ministry of Home Affairs issuing a warning that the videoconferencing app was not safe for use.
The security concerns had forced CEO Yuan to put in place a 90-day plan, on 1 April 2020, to address the platform’s security problems. As part of the plan, it recently released the Zoom 5.0 version that includes the AES 256-bit GCM encryption and the new functionality that allows one to report intruders and rogue users.
Sharing details in his blog of the existing encryption, Yuan said that while content flowing between the Zoom client is encrypted at each sending client device, some of its features that support attendees to call into a phone bridge or use in-room meeting systems offered by other companies, require the company to keep some encryption keys in the cloud.
This industry experts point out is a clear admission that Zoom did not have end-to-end encryption of video-chat like that of WhatsApp and Apple’s FaceTime and Signal.
Commenting on the acquisition, Zoom India head Sameer Rajee said that Keybase, with over two dozen world-class security and encryption engineers, will hit the ground running, continuing the development and implementation of features and standards that will make Zoom the industry leader in security and privacy.
“Our goal is to build out Zoom’s security and encryption capabilities with the help of Keybase’s world-class engineers. While we will also own the Keybase product, we expect that it will remain separate from Zoom’s offerings,” Rajee said.
What’s in store?
Sharing details of its future security options, Yuan said that for hosts who seek to prioritize privacy over compatibility, the company will create a new solution. He also stated that Zoom will offer an end-to-end encrypted meeting mode to all paid accounts.
And this where Zoom sees Keybase engineers playing a major role.
According to Yuan, going ahead, the logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees.
“An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric key pairs, and rotated when there are significant changes to the list of attendees,” he said.
The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys and thereby join the meeting.
However, according to the blog, the end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems, and Zoom Rooms and Zoom Phone participants will be able to attend only if allowed by the host.
Yuan also stated that the company will publish a detailed draft cryptographic design on 22 May 2020, as part of its commitment to remaining transparent and open while building the new end-to-end encryption offering.