Zoom says engineers will focus on security and safety issues

By Alex Hern UK technology editor

Zoom, the hit video conferencing platform, will freeze new feature development and shift all engineering resources on to security and safety issues, its founder has said..

The move comes as the company battles the damage caused by a string of minor scandals ultimately related to the same scrappy approach that enabled it to capitalise on the wave of global lockdowns in the first place.

“We have fallen short of the community’s – and our own – privacy and security expectations,” said Zoom’s founder and CEO, Eric Yuan, in a blogpost on Thursday. “For that, I am deeply sorry.”

Since it began gaining hundreds of thousands of users a day, Zoom has come under increasing scrutiny from privacy campaigners, security researchers, and members of the public, who have found faults in the platform’s programming, policies, and practices.

Some stem from the fact that a tool originally designed for enabling corporate communications has been repurposed for a wide range of consumer uses, from strangers meeting up for virtual “happy hours” to children’s book groups and remote sessions of Dungeons and Dragons.

But others relate to the company’s approach, modelled on the notorious Facebook maxim “move fast and break things”, of finding unorthodox solutions to problems, which may not always hold up under closer inspection.

“There’s a difference between being able to pivot on top of a solid foundation,” says Vincent Roffers, executive strategy director at branding strategists Superunion, “and the path where they have at some level cut corners a bit,” in terms of the way they’ve created their product.

The most public problem facing the company has been the rise of “Zoombombings”, when trolls join public video chats to wreak havoc among their members by broadcasting pornography, hurling abuse, or undressing in front of their webcam. Zoombombings are possible because the company’s product is built for use in cases where every caller is part of the same company, or already known to each other, security experts say – an assumption that no longer fits after weeks in lockdown.

“We now have a much broader set of users who are utilising our product in a myriad of unexpected ways,” Yuan said, “presenting us with challenges we did not anticipate when the platform was conceived.” Zoombombings can be prevented by changing the app’s settings, Zoom said in late March as the problem was growing. And other tools, such as YouTube or Twitch livestreams, may be more appropriate for some uses, such as a broadcast of an author reading their book.

Other problems were more baked into the product, however. In July 2019, before it exploded in popularity, Zoom faced an embarrassing security scandal.A researcher discovered that the company installed some code on Macs alongside its app that meant that even if the app was later uninstalled, a single click on a web link was all it took to reinstall the app and join a new conference call with mic and camera enabled. Zoom initially defended the flaw for more than 90 days, saying it was a feature intended to make it easy for users to join calls. Only when the researcher went public did the company act. Apple later pushed a software update to all Macs that automatically prevented the feature from working.

That episode left security researchers suspicious of the company, and when it burst into the public’s consciousness in March, the suspicion returned. In just a couple of weeks, researchers found many more flaws, major and minor, which piled up faster than Zoom could fix them, from a broken promise to provide “end to end encryption” for video calls to bugs that would allow a hacker to gain access to a user’s webcam and microphone.

“So many of Zoom’s poor decisions were about prioritising growth over security,” said the analyst Ben Thompson. “This crisis, though, more than takes care of growth: it’s up to Zoom to seize the opportunity to prioritise security in a transparent and verifiable way at a time when all of their customers want them to succeed.”

That’s what the company is promising now, founder Yuan says. Over the next 90 days, it will conduct a “comprehensive review with third-party experts”, publish a transparency report, and run penetration tests to find and fix further flaws.

Superunion’s Vincent Roffers believes that is the right approach. “They need to make it right in a way that’s transparent that’s visible. The worst thing they could do is retreat and disappear,” he said.

“They’re going to be fine. The thing about branding is, you always have a lot of chances: It’s not about what you do now, it’s about what you do next.”