So finally, after likely trillions of minutes of sessions, Zoom is rolling out end-to-end encryption.
And while it sounds great, it’s also sort of a bit, well, almost silly as a feature. Almost. Or at least, not really necessary. Too much form over substance.
Why? Because of course “end-to-end encryption” sounds like something you’d want, and it sounds like a big upgrade. Who wouldn’t want it? The problem is, once you understand how it works in practice, it also means a ton of Zoom features won’t work if you turn it on. And Zoom was plenty secure before this:
“Notably, however, Zoom says that enabling E2EE disables certain meeting features: join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions. Phase 2 of the E2EE rollout will occur in 2021, Zoom says.”
Let’s look at that list. No cloud recording? Huge bummer for us. No breakout rooms? No chat? Etc. etc. No thanks.
You can certainly do a basic Zoom without these enhanced features. But many of the collaboration parts can’t work if Zoom can’t access the stream itself. Of course they can’t — they wouldn’t work for any other app, either. You can’t save a recording if you can’t access the video. You can’t let folks chat if they can’t share the chats. Etc. etc.
And each Zoom session was already highly encrypted before this. It’s just without access to the keys in a session, Zoom can’t do all that much with the content in it. So its standard “enhanced” encryption for 99% of enterprise users is probably plenty fine:
So how many folks will actually turn on this addiitonal feature? A small minority most likely. The trade-off isn’t worth it for many of us. And even if they do, they may well turn it off later and just stick with standard enhanced encryption. And again, the app was plenty secure before this at a practical level for 99.9% of use cases.
And yet … and yet … Zoom the company needed to ship this feature. Not because the application really needed it. But because as Zoom got bigger and bigger, and because as post-Covid Zoom became more and more critical to how enterprises are run, its larger customers just demanded it. “We need end-to-end encryption.” So Zoom finally … checked the box. And the issue here in the enterprise, in CIOs’ offices, once it’s finally built, just fades. CIOs and CTOs and more stop caring once they know it’s there. The security audit is passed. Folks move on. Even if they never actually use the feature.
The same will happen to you as you go upmarket. Big enterprise customers will ask you to build “check-the-box features”, especially around perceived security, disaster recovery, etc. that they’ll likely never actually use at all, or just barely. Because the trade-offs in the end aren’t worth it. In fact, they may even forget about ever turning on the feature in practice after they Adobe Sign the contract.
You can resist when enterprise customers ask. You can explain to them why they don’t really need the feature. E.g., why SOC-2 isn’t a big deal. Etc. etc. But if you argue, even if you are right — you’ll simply lose a lot of those deals.
It’s not worth it — at least not in the enterprise. With SMBs, it may be OK to lose 2%-5% of deals due to not having a critical enterprise check-the-box feature. But is it worth losing a $50k, $100k, $500k deal over not building a check-the-box feature? No. It almost never is. Not if you could build the feature in a few days, or even a few weeks.
So I know your dev team may not want to build these features that just never really get used. But show them why they matter at a business level. Why you’ll win the next big deal if you deliver these features. And why not to worry if many of them are never really used in practice.
