Zoom Responds ⇥ blog.zoom.us

Eric Yuan, CEO of Zoom:

For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.

[…]

Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes:

• Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.

I think this is a generally well-written, meaningful apology. The CEO of Zoom clearly feels awful about a week of previously undisclosed security and privacy vulnerabilities coming to the fore, and has a plan to address them. That’s promising.

But there’s still an air of defensiveness about this post. For example:

First, some background: our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.

However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.

According to Yuan, Zoom’s call volume grew by twenty times in just a couple of months. It is understandable that some features, like its LinkedIn integration, do not translate well to non-enterprise contexts. But Zoom’s bigger problems — its false claims of end-to-end encryption, its malware-like installer, the webcam security problem exposed last year, and its vulnerability to malicious links — have nothing to do with Zoom’s scale. They are technical debts incurred by years of sloppy work.

Thomas Brewster, Forbes:

Towards the end of March, three of the American government’s key coronavirus response organizations spent a collective $1.3 million on videoconferencing tech from Zoom, a Forbes review of government contracts has found. That was despite widespread criticism of the app’s privacy and security.

The orders – from Centers for Disease Control and Prevention (CDC), the Federal Emergency Management Agency (FEMA) and the National Institutes of Health (NIH) – were all made in just a few days from March 23 to 26. They ranged in cost, the highest being $750,000, which the CDC ordered for hosting webinars on COVID-19. FEMA spent $320,000 on 1,500 Zoom software licenses, whilst CDC spent another $160,000 on Zoom webinar tech. An NIH contract at $90,000 also specified some Zoom licenses. They weren’t delivered directly by Zoom, but by partner government contractors CDW Government and Carahsoft Technology.

I am glad that Zoom is serious about addressing these flaws anyhow, but particularly so after learning that it is being used by these government agencies.