3.8 Account Escrow

Some of the data that organizations store on the Zoom platform is encrypted with keys that are only known to the devices of the users authorized to access it; the data is not available to Zoom servers. For example, emails between active users of the Zoom Mail Service (Section 6) and some phone calls between Zoom Phone clients (Section 8.1) are in most cases encrypted using the sender and recipient’s keys only. However, administrators of these organizations may also wish to have access to this data, for example, to protect against accidental data loss (if the account member loses their devices) or to support legal retention and discovery. We refer to solutions that give such organizations cryptographic access to their members’ encrypted data as escrow, and in this section we present Zoom’s solution to this problem.

When an account enables escrow, all the account members (escrowees) receive an unskippable notification informing them that escrow is being enabled. Upon acknowledgement, each member adds a “virtual” escrow device (Section 3.4.3) to their own user sighchain. This escrow device’s public keys correspond to secret keys known to a set of devices which are controlled by Escrow Administrators (EAs), account members designated with escrow permissions. This enables all account members to automatically share their PUKs (and by extension their encrypted data) with these admins.