Not long after the pandemic hit in March 2020, Zoom went from mostly a consumer product to one that millions of businesses depended on around the world. The company embarked on a security project that led to the implementation of many important security features, including end-to-end encryption.
Prior to the pandemic, Zoom was primarily built for enterprise customers. But in March 2020, Zoom experienced a huge influx of all types of new users. Around the world, people began using Zoom to work from home, to take online classes, and to socialize. And many of these new users didn’t have an existing IT department to assist them with their account and security settings.
As March 2020 came to a close, Zoom quickly realized that it needed to do more on security and privacy to support these new types of users. On April 1, 2020, Zoom announced a 90-day security and privacy plan. For the next three months, the company focused all of its engineering resources to focus on trust, safety, and privacy issues. Zoom then conducted a comprehensive security review with third-party experts and representative users to understand and ensure the security and privacy of all its new use cases. Zoom engaged multiple firms in a series of simultaneous open box penetration tests to further identify and address issues.
The security team rolled out 100 new features within three months. Highlights include 256-bit AES-GCM encryption for all meetings; UI updates such as a green security icon with data center location click through; a “Report a User” feature; enhanced meeting defaults, including passcodes, Waiting Rooms, and limited screen sharing, and customized data routing by geography for data in transit. Zoom also acquired Keybase in May 2020 and started work on end-to-end encryption for all global users, which launched less than six months later.