It’s time to stop bashing Zoom
- Summary:
-
The breakout video conferencing app is dealing with explosive growth and its privacy and security issues openly and remarkably quickly
No good deed goes unpunished, the old saying goes, and that certainly seems to be true in the case of Zoom, the video conference company, which in February offered to help schools to continue to educate their students remotely for free during the coronavirus pandemic.
More than 90,000 schools across 20 countries took them up on the offer and millions of other people turned to the app for remote family gatherings and virtual cocktail hours and Zoom parties, and even online funerals.
As a result, a midsized enterprise video meeting company which has been around since 2011 suddenly found itself a massive hit with consumers. At the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. Last month, the company reached more than 200 million daily meeting participants, both free and paid.
That kind of explosive growth creates problems not only of scale but it also surfaces new problems around security and privacy.Eric Yuan, founder and CEO, wrote in a blog post:
Our platform was built primarily for enterprise customers large institutions with full IT support. These range from the world's largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.
However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.
One of the earliest and most serious Zoom privacy issues was an outbreak of Zoombombing in which uninvited users crashed meetings and disrupted them by taking over screens and playing porn or other unwanted material. Zoom has built in tools to prevent this kind of disruption but because many of the new users had never used the app before or knew much about enterprise-level apps, they were easy prey for hackers.
On March 20th, the company published a blog post tutorial to help users address incidents of harassment on the platform by explaining the protective features that can help prevent this, such as waiting rooms, passwords, muting controls, and limiting screen sharing.
On March 27th, Zoom removed the Facebook SDK in its iOS client and reconfigured it to prevent it from collecting unnecessary device information from Zoom users.
On March 29th, it updated its privacy policy to be more clear and transparent about what data it collects and how it is used, explicitly clarifying that it does not sell users' data, it has never sold user data in the past, and has no intention of selling users' data going forward.
On April 1, Yuan apologized for "the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption." He added:
Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.
The point that Zoom was making is that in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, Zoom encrypts all video, audio, screen sharing, and chat content at the sending client, and does not decrypt it at any point before it reaches the receiving clients.
Over the past two weeks, Zoom has made massive changes to its platform and dealt with every issue in a clear and open manner.I am not alone in this praise. Johns Hopkins University cryptography professor Matthew Green said the company's claims about their encryption practices "are actually pretty good, although there are some open questions."
This hasn't prevented AGs in several states from making threatening gestures.
My take
Zoom has one of the major stars of the technology response to the coronavirus pandemic. It has earned a lot of goodwill and gained an army of new users, many of them consumers but also the growing market of remote workers. Its stock price has gained 114.8% since the beginning of the year. (Needless to say, I don't own any.)
The company has enacted a freeze of new features and shifted all its engineering resources to focus on its biggest trust, safety, and privacy issues. It is conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases. And preparing a transparency report that details information related to requests for data, records, or content.
In short, Zoom has responded admirably and incredibly quickly to a series of important privacy and security issues occasioned by its meteoric rise in users.Try getting Facebook to respond that quickly sometime, anytime.