In response to damaging public scrutiny of its privacy and security policies, video collaboration platform vendor Zoom has unveiled a 90-day plan to address these issues.
The company has immediately frozen its tool’s existing features and will shift its engineering team to focus on trust, safety, and privacy issues. It will also conduct a review involving third-party experts, prepare a transparency report, and enhance its bug bounty programme.
The number of people using Zoom has soared in the last month, as the spread of Covid-19 forces millions of office-based employees to work from home. The tool is now an integral part of how people under lockdown communicate with the outside world, but most users are unaware of how Zoom monitors their behaviour and handles their sensitive data.
Tough times for Zoom
In quick succession, the company has found itself under investigation by New York’s Attorney General, and described as “malware” on Twitter by a Princeton university professor. It is also being sued in California over allegations that it collected information on millions of users and shared it with Facebook. Security researchers have also identified a flaw that could allow a hacker to get credential data and remotely access Windows computers on corporate networks.
In the face of this criticism, Zoom has taken action to protect its reputation. In a blog published on 1 April, the company’s chief executive Eric Yuan admitted the company had fallen short of both the tech community’s and its own privacy and security expectations.
As well as the review with experts and the transparency report, Yuan said Zoom would launch a chief information security officer (CISO) council to create an ongoing dialogue regarding security and privacy best practices. It will also launch white box penetration tests to further identify security issues.
Zoom use has skyrocketed
Zoom has been caught flat-footed, a victim of its own success. It should have been prepared for increased product scrutiny, although the increase in users has probably outstripped even its own expectations. Zoom has gone from a maximum of 10 million daily meetings, both free and paid, in December 2019, to 200 million daily meetings in March 2020.
Yuan said Zoom’s platform was built for enterprise customers that would have done ‘exhaustive’ security reviews of Zoom’s user, network, and data center layers before deploying the tool. It was not designed to support a broader set of users adopting the product in different ways, presenting the company with challenges it hadn’t anticipated when the platform was conceived.
Harsh lessons for hot products
The lesson that Zoom is learning the hard way is that data privacy and security is always paramount. So far, the damage has primarily been to the company’s reputation. No-one yet knows whether its flaws have already been targeted by hackers and credentials actually stolen and used.
The COVID-19 crisis will continue to provide smaller and less well-known internet companies like Zoom with a powerful and unexpected platform for their products.
Users have no choice but to trust these companies and their products, despite knowing little or nothing about them. As businesses adjust to new ways of working, user expectations of the tools they use will rise. That is a good thing, because it is only under public scrutiny that better, more secure products are created. The moral for all suppliers is that, while your stock can rise almost overnight, goodwill can evaporate just as quickly.