As we all try to work from home, Zoom videoconferencing has become the hottest company on the planet. It’s also at the center of a firestorm of criticism on privacy and security. Yesterday, CEO Eric S. Yuan tried to address the problem. His post is a good first step, but now Zoom has to follow up.
I’ve praised Zoom before — it’s essential to my business. (Disclosure: Eric Yuan sent me a nice Zoom backpack after that post.) It’s popular because it works so well: it’s easy to install, easy to use, adjusts well to different levels of bandwidth, works on all devices, and in nearly every way, anticipates what you would want to do. This is why, in a moment when college professors and preschool teachers are conducting conferences (and I’m doing remote workshops instead of traveling), Zoom is the top choice.
But success comes with a spotlight. Zoom’s privacy policies are under fire. Princeton computer science professor Arvind Narayanan calls it “malware.” It’s been caught surreptitiously installing a server on people’s devices, sending data to Facebook, inaccurately claiming end-to-end encryption, and tracking users’ attention. A product that succeeds on subscriptions, not advertising, doesn’t need to behave this way.
Now Yuan has stated that things will change. Should we believe him?
Analyzing Eric Yuan’s privacy post
Here’s what Yuan wrote on the Zoom blog, with my analysis.
A Message to Our Users
April 1, 2020 by Eric S. Yuan
To our Zoom users around the world,
Whether you are a global corporation that needs to maintain business continuity, a local government agency working to keep your community functioning, a school teacher educating students remotely, or a friend that wants to host a happy hour to spark some joy while social distancing, you are all managing through unique challenges brought upon by this global health crisis. During this time of isolation, we at Zoom feel incredibly privileged to be in a position to help you stay connected.
We also feel an immense responsibility. Usage of Zoom has ballooned overnight – far surpassing what we expected when we first announced our desire to help in late February. This includes over 90,000 schools across 20 countries that have taken us up on our offer to help children continue their education remotely. To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid. We have been working around the clock to ensure that all of our users – new and old, large and small – can stay in touch and operational.
This is a poor start. The title says nothing about the topic of this post, which is privacy and security. And the first two paragraphs are self-congratulatory stats on how Zoom is the choice of so many in these moments of need. If you were worried about privacy, this will make you more impatient than reassured.
My advice to all executives writing posts like this is simple: don’t “ease into it.” We know you have a problem. We want to hear about how you are addressing it. The longer it takes to get to the substance of that, the less we trust you.
For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.
Finally, halfway through the third paragraph, we hear about privacy and security. I accept that they’re focused on dealing with a huge surge in volume. But nobody wants excuses — we want to know why there are problems and what Zoom is doing about it.
First, some background: our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.
However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.
These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users.
Zoom was indeed conceived for companies. This explanation is true, and it is human. But we didn’t need three paragraphs on it. Two sentences would have been sufficient: “Zoom was designed for companies with sophisticated IT departments. Now that it’s being used by so many consumers, privacy and security expectations are different.”
Yuan gets some points for praising the journalists and security experts who are identifying the problem.
We take them extremely seriously. We are looking into each and every one of them and addressing them as expeditiously as we can. We are committed to learning from them and doing better in the future.
But before I lay out how we intend to improve, I want to share what we have done so far.
What we’ve done
With the flood of new users, part of the challenge is ensuring that we provide the proper training, tools, and support to help them understand their own account features and how best to use the platform.
* We’ve been offering training sessions and tutorials, as well as free interactive daily webinars to users. We have proactively sent out many of these resources to help familiarize users with Zoom.
* We are taking several steps to minimize customer support wait times when they reach out with questions.
* We’re listening to our community of users to help us evolve our approach.
We have also worked hard to actively and quickly address specific issues and questions that have been raised.
* On March 20th, we published a blog post to help users address incidents of harassment (or so-called “Zoombombing”) on our platform by clarifying the protective features that can help prevent this, such as waiting rooms, passwords, muting controls, and limiting screen sharing. (We’ve also changed the name and content of that blog post, which originally referred to uninvited participants as “party crashers.” Given the more serious and hateful types of attacks that have since emerged, that terminology clearly doesn’t suffice. We absolutely condemn these types of attacks and deeply feel for anyone whose meeting has been interrupted in this way.)
* On March 27th, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users.
For education users we:
* Rolled out a guide for administrators on setting up a virtual classroom.
* Set up a guide on how to better secure their virtual classrooms.
* Changed the settings for education users enrolled in our K-12 program so virtual waiting rooms are on by default.
* Changed the settings for education users enrolled in our K-12 program so that teachers by default are the only ones who can share content in class.
On April 1, we:
* Published a blog to clarify the facts around encryption on our platform – acknowledging and apologizing for the confusion.
* Permanently removed the attendee attention tracker feature. (updated 4/2 to clarify that it’s permanently removed)
* Released fixes for both Mac-related issues raised by Patrick Wardle.
* Released a fix for the UNC link issue.
* Permanently removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature. (updated 4/2 to clarify that it’s permanently removed)
This is a substantial list of steps in the right direction. It’s impressive, and it’s clear. In contrast to the first part of the post, it’s not self-congratulatory, either. It certainly reflects movement in the right direction.
What we’re going to do
Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes:
* Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
* Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
* Preparing a transparency report that details information related to requests for data, records, or content.
* Enhancing our current bug bounty program.
* Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
* Engaging a series of simultaneous white box penetration tests to further identify and address issues.
* Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community.
For a company that’s experienced a flood of success, this is a startling announcement. A feature freeze and a new focus on security is not what you would expect from a company dealing with a manyfold increase in users over a period of a month. This is not going to be easy, but it is certainly the right approach.
Transparency has always been a core part of our culture. I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps of their own to best use and protect themselves on the platform.
We welcome your continued questions and encourage you to provide us with feedback – our chief concern, now and always, is making users happy and ensuring that the safety, privacy, and security of our platform is worthy of the trust you all have put in us.
Together, let’s build something that can truly make the world a better place!
Eric S. Yuan
Founder and CEO, Zoom
Very nice, and a bit generic.
What happens now?
Consider Facebook, which has proven with a stream of successive privacy failures and little more than lip service to fixes that privacy is not its priority. Will Zoom take that path, or will it pivot to a stance that preserves privacy and security and remedies its past problems?
There are two reasons to be hopeful. One is that as a subscription-supported business that does not sell advertising, Zoom can correct privacy problems without an impact on its bottom line. The second is that users love it, and that love is at the center of its success — it’s a relationship that is essential to the company’s future success.
But there is also a reason to be fearful. There is a pattern here. It appears that engineers and developers have focused on what they could do, without worrying about if they should do it. All these problems were a result of rapid development of features intended to make the product work better, or at least look better. This is a cultural issue. If moving fast to improve user experience is the top priority, then privacy and security isn’t. And, at least from the view of an outsider, that is what appears to be the case at Zoom.
The solution is must start with the CEO and founder. Yuan is now stating publicly (and I assume, internally as well) that Zoom will freeze features and fix its security problems. What Yuan and his developers do in the next three months will determine the future of the company, and how much we trust it.
Videoconferencing is a competitive space. Zoom is better — but there are plenty of contenders hoping to gain share. Some will position around privacy and security. Zoom will lose share if it doesn’t put its development effort behind what Yuan has promised.
The message Yuan sent could be better — it’s a shame he felt the need to start by justifying Zoom, rather than on the fixes that have happened and the steps the company is taking now. But this is Zoom’s moment to improve. We’ll all be watching, now. It’s a great product. I hope its leaders can make it a safe one, too.