Zoom’s recent growth has put it in the spotlight over a series of privacy and security issues, and the company is now promising to address them over the coming 90 days. In a detailed blog post, Zoom CEO Eric S. Yuan explains how the company has been responding to a massive increase in users. Zoom has never shared user numbers before, but Yuan reveals that back in December the company had a maximum of 10 million daily users. “In March this year, we reached more than 200 million daily meeting participants, both free and paid,” says Yuan.
That’s a huge increase that has seen people use Zoom for reasons nobody expected before the coronavirus pandemic. “Our platform was built primarily for enterprise customers,” explains Yuan. “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
Zoom’s growth during the spread of COVID-19 has been phenomenal. According to Yuan, the number of free and paid users participating in daily meetings rose from 10 million last December to 200 million last month. The service has attracted users due to its simple interface, cross-platform availability, decent call quality and customisable backgrounds. Alternatives exist, including Skype, Google Duo and Hangouts Meet, Discord and Microsoft Teams, but none of them have seen the same level of uptake.
Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively,” explains Yuan. “We are also committed to being transparent throughout this process.”
All of Zoom’s engineering resources will now be focused on safety and privacy issues, and the company is planning a “comprehensive review” with third-parties to ensure it’s handling the security of these new consumer cases properly.
The investigation will be backed up by transparency report that lists requests for data, he said, an enhanced bug bounty program, as well as a series of white box penetration tests an approach that gives the tester full knowledge of the company’s infrastructure and application source code. In addition, Zoom has vowed to launch a CISO (chief information security officer) council with representatives fro across the industry to “facilitate an ongoing dialogue regarding security and privacy best practices.”
Zoom’s surging popularity has laid bare some of its shortcomings, though. As The Intercept reports, Zoom calls can’t be secured with end-to-end (E2E) encryption — a gold standard offered by Google Duo, WhatsApp and others — even though the company’s website clearly states they can. “It is not possible to enable E2E encryption for Zoom video meetings,” a spokesperson told the website in a statement earlier this week.
According to Feelix Seele, technical lead at malware tracker VMRay, Zoom’s Mac installer uses pre-installation scripts and then, unbeknownst to the user, displays a faked system message to confirm what has already happened behind the scenes. “This is not strictly malicious, but very shady and definitely leaves a bitter aftertaste,” @c1truz_ tweeted on March 30th. “The application is installed without the user giving his [or her] final consent and a highly misleading prompt is used to gain root privileges.”
The company also had to update its iOS app last week to remove code that reportedly sent data to Facebook, including the user’s time zone and city, basic details about their device, and when they opened the app.
As Vice reports, Zoom is having problems with its Company Directory, too. The normally-handy tool helps people find colleagues who have the same email domain. The problem is that some people sign up through the app with a personal email address and, in some cases, have been grouped together with countless other people who signed up the same way.
It also changed its privacy policy after users realised their personal information could be used for targeted ads.
To win back user trust, Yuan said today that Zoom will be initiating a “feature freeze” until all of its security issues are addressed.
Yuan will also hold a weekly webinar on Wednesdays at 10AM PT / 1PM ET to discuss privacy and security updates for Zoom as it tackles its response over the next 90 days. “Transparency has always been a core part of our culture,” says Yuan. “I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps of their own to best use and protect themselves on the platform.”
Zoom’s response is what many in the security community had been asking for, and the company is committing to fixing the issues that have been identified and promising to be transparent in the process. That’s encouraging to hear for Zoom’s existing users, and the many millions of new users that are choosing the app to connect to friends, family, and coworkers for the first time.
