Zoom buys secure messaging service Keybase

Unified communications and collaboration service Zoom is to acquire Keybase – a developer of secure messaging and file-sharing services – to help build scalable end-to-end encryption into its video-conferencing platform.

Zoom shot to prominence at the beginning of the Covid-19 coronavirus pandemic during the widespread transition to remote working, and has been dogged by accusations of lax cyber security, which it is currently attempting to address through a rapid programme of innovation and development. The proposed acquisition of Keybase is another step in this strategy.

“This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses,” said CEO Eric Yuan.

“Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behaviour on our platform. Keybase’s experienced team will be a critical part of this mission.”

End-to-end encryption has been a particular bugbear for Zoom after it was forced to backtrack after facing claims that it was being misleading over how it defined the term at the beginning of April.

Currently, audio and video content moving between Zoom clients is encrypted only at each sending client device and not decrypted until it reaches the recipient device. With the recent release of version 5.0 of its platform, it now supports AES 256-bit GCM encryption.

With Keybase on board, Zoom said it now plans to offer an end-to-end encrypted meeting mode to all paid accounts, with additional features to enable meeting hosts to control encryption keys. It said it believed this would mean it could provide “equivalent or better” security than any competitive platform.

“As we do this work to further protect our users’ privacy, we are also cognizant of our desire to prevent the use of Zoom’s products to cause harm,” added Yuan.

“We will continue to work with users to enhance the reporting mechanisms available to meeting hosts to report unwanted and disruptive attendees.

“Zoom does not and will not proactively monitor meeting contents, but our trust and safety team will continue to use automated tools to look for evidence of abusive users based upon other available data. 

“Zoom has not and will not build a mechanism to decrypt live meetings for lawful intercept purposes. We also do not have a means to insert our employees or others into meetings without being reflected in the participant list. We will not build any cryptographic backdoors to allow for the secret monitoring of meetings.”

Yuan said that a more detailed draft cryptographic design will be published on 22 May, at which point Zoom will begin outreach work with customers, cryptographic experts, and wider civil society to solicit feedback, ahead of engineering its proposed solution.

“We look forward to welcoming the Keybase team and are excited for the possibilities of what we can build together,” said Yuan.