Over the last three months, largely due to the coronavirus pandemic, Zoom experienced unprecedented growth. Daily users rose from 10 million in December 2019 to 200 million in March 2020. Originally designed as a video and audio conferencing platform for large enterprises, such as universities, companies, healthcare organizations, and government agencies, Zoom never anticipated such widespread consumer use. Now, in addition to business meetings, Zoom is used for everything from happy hours to cigar nights, weddings, and even funerals. However, with growth came problems; all of which center around security and privacy-related issues, including:
- Zoom-bombing by uninvited guests (including hackers) as a result of Zoom’s default settings that often resulted in online harassment.
- Automatic data sharing with Facebook. Whether the user had a Facebook account or not, upon downloading Zoom’s app, details about the user’s device were automatically shared with Facebook.
- Lack of end-to-end encryption. Zoom initially marketed as having end-to-end encryption, which prevents data from being read or secretly modified, other than by the true sender and recipient. Instead, they utilized transport layer security (TLS) encryption, which allows the company open access to video and audio content of all Zoom meetings.
The fallout for Zoom over the last few weeks has been swift and unrelenting, leading to damage control and a degree of attention to crisis management that it never envisioned. Notably, the company has had to address the following concerns that arose from its recent usage spike:
Erosion of Trust. These privacy-related issues ultimately led to an erosion of trust in the product and a subsequent loss of customers, ranging from local school districts and government agencies, such as NASA, to companies, including Google and SpaceX.
Reputational Damage. The product, and by extension, the company’s integrity, is unquestionably compromised. However, founder and CEO, Eric Yuan, addressed the issues head on, admitting that “We have fallen short of the community’s – and our own – privacy and security expectations. For that I am deeply sorry…” Consistent with Yuan’s attempt to communicate and offer transparency, he now hosts a weekly webinar, “Ask Eric Anything,” to provide a status update.
Escalation of Lawsuits. Zoom currently finds itself in litigation purgatory. The complaints, in varying degrees, address Zoom’s unauthorized disclosure of personal information and failure to protect user’s data privacy rights adequately. For example, one complaint highlights the extent to which third-party apps, such as Navigator, which allows the host to view the LinkedIn profile of meeting participants, even when participants sought to keep their personal details anonymous, compromised user’s expectation of privacy. This is a rock from which it is difficult to climb underneath.
So What Has Zoom Done?
In the aftermath of the fallout, Zoom has taken a series of steps to address and correct the issues surrounding user’s data privacy rights, including:
- Instituted a 90-day freeze to focus all of its resources on addressing security and privacy issues.
- Implemented a comprehensive security review of its platform, enlisting third-party experts, such as the former Chief Security Officer of Facebook.
- Updated its iOS app to remove code that automatically sent data to Facebook.
- Removed the attention tracker feature.
- Formed a Chief Information Security Officer (CISO) Council, consisting of industry peers to ensure that security and privacy best practices are being adopted and implemented.
And finally and perhaps most significantly, the CEO took ownership of the problem. Regardless of your opinion of Zoom, when was the last time you remember a CEO uttering the words “I really messed up …”? Yuan stepped up and owned up; something that all of us can do in our professional and personal lives. Zoom’s snafus offer important lessons for organizations functioning in a world that is increasingly digital but the company is also an exemplar of leadership acknowledging its mistakes and making formalized efforts to remedy them.