AdriaanDeVos
commented
4 years ago I agree that this important information should be added to the updated document. This information should be easily accessible instead of reading it in some random news articles.
astamos
Thank you for all the work on this paper, and for seeking community input.
To prevent the paper from causing confusion or misleading stakeholders, the paper should clarify the extent to which the security and privacy upgrades will be available to Zoom users.
As written, the current draft of the paper could lead the reader to presume that the security and privacy upgrades will be available to all Zoom users. The paper makes no distinction among Zoom clients or users. The intro refers broadly to Zoom's hundreds of millions of users, friends and family, etc. Section 1.1 uses "Zoom clients" to refer to "all these various forms of packaging."
However, if it is Zoom's intention to apply the security & privacy upgrades to only a subset of users (such as paid accounts and other accounts at Zoom's discretion), the paper should make that clear from the very beginning, not just in a press release or other ancillary material. If some of the upgrades will be applied to all users, and other upgrades will be applied to a subset of users, those distinctions should also be made clear in the paper. This is a crucial point, without which readers could be easily misled about the true scope of the upgrades proposed in the paper.
We recommend adding another subsection to the paper detailing this issue. What will be the difference in user experience between users with the upgrades and users without? How will users without the capability be able to tell which meetings are e2e and which are not? Is Zoom able to provide or revoke the e2e capability - or any of the upgrades listed in the paper - at its discretion at any time? We believe this is in scope for the paper because it more fully details the extent of the proposed upgrades, as well as the effect on non-upgraded users (which may be "no change," but this should nonetheless be noted in the paper).
Thanks again.
Harley Geiger Rapid7
Update: Zoom has now publicly announced that end-to-end encryption would not be available to non-paying users in general. This intention and related details (noted above) continue to be unclear from the paper proposing the security and privacy upgrades.