As the COVID-19 pandemic upended the bulk of in-person life, one piece of software went from obscure to everyday essential for many: Zoom.
By April, just weeks into the United States’ dive into full pandemic mode, the number of daily meeting participants using the video conferencing software had ballooned to 300 million, up from just 10 million in December. Last month the company reported third-quarter earnings of $777 million, beating investor expectations. The company’s year-over-year growth was 367 percent.
And with widespread vaccine distribution still months away, the service will stay ubiquitous well into the future.
But growth comes with pain: The year has also been rocky for the company, which was plagued by privacy lapses almost from the beginning of the pandemic, drawing the attention of advocates and security researchers, and a fair amount of embarrassing press. Zoom announced a series of changes this year in response to the criticism, but questions about the security of its video conferences still linger.
“In a way, what happened to them was the dream scenario for a tech company,” Daniel Kahn Gillmor, a senior staff technologist at the American Civil Liberties Union, told The Markup. Suddenly, a relatively niche product was being used everywhere.
“But that kind of success comes with its own concerns,” Gillmor said.
“Zoom Bombing” and Other Privacy Issues
As far back as March, a series of disturbing incidents involving Zoom transpired, as unwanted visitors crashed meetings and disrupting gatherings, sometimes flashing pornography or spouting racist messages.
Chipotle was hit with pornography during a virtual hangout, the University of Southern California dealt with racist taunts, and the Federal Bureau of Investigation even issued a warning, saying in an alert that reports of the phenomenon were “emerging nationwide.” Some schools soon backed off from using the software over harassment concerns.
Other questions about security soon arose. An April report from the Citizen Lab at the University of Toronto found that some virtual meetings that didn’t take place in China still seemed to be connecting to servers in the country. The report also found that the company’s data encryption process had “significant weaknesses.”
The company issued a response to the report, blaming the transmission of data to China on a technical error and promising to improve its encryption practices.
Other security researchers, however, raised more concerns. One, for example, reported to Zoom that it was possible for hackers to crack the password for private meetings through computer-assisted guessing. The company fixed the issue in response.
In another blog post released in April, following media scrutiny, Zoom was forced to admit that it had wrongly suggested the service used end-to-end encryption, the gold standard of data encryption. “While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it,” Oded Gal, the company’s chief product officer, wrote.
Zoom’s security problems even prompted scrutiny from state and federal regulators. New York’s attorney general opened an investigation into privacy lapses and in May announced that, under a settlement, Zoom had agreed to take additional steps to protect users’ data, including through encryption, and would report regularly on its privacy practices to the attorney general’s office.
In November, the Federal Trade Commission announced the conclusion of its own investigation and that Zoom had agreed to additional privacy protections, including creating a “vulnerability management program.” The FTC said in the statement announcing the agreement that “the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.”
Zoom Attempted to Respond Quickly
“We recognize that we have fallen short of the community’s—and our own—privacy and security expectations,” Zoom’s CEO, Eric S. Yuan, said in a blog post in April.
The company has since announced a series of changes to its platform. To prevent Zoom-bombing, for example, the company—after providing users with some general “tips”—created a default setting requiring new visitors to be approved before joining a call.
“We have been deeply upset to hear about these types of incidents, and Zoom strongly condemns such behavior,” Zoom spokesperson Matt Nagel said in a statement to The Markup. “We have updated a number of default settings and added features to help hosts more easily access in-meeting security controls, including the ability to suspend all participants’ activities, controlling screen sharing, removing and reporting participants, and locking meetings, among other actions.”
Zoom has also pledged to implement end-to-end encryption. In May, the company announced that it had acquired Keybase, a secure messaging platform, as part of a plan to broadly offer “an end-to-end encrypted meeting mode to all accounts.”
In the most recent update on the project, Zoom announced in October that its end-to-end encryption service would be available to users as a technical preview and that the company was soliciting feedback. The setting was made available to both free and paid users, although not all of the service’s features are compatible with the option.
In a statement to The Markup, Nagel said the agreement with the New York State attorney general included “making a number of our pre-existing security features on by default and also introducing new security enhancements” and that the company had also addressed privacy concerns identified by the FTC.
But Has It Been Enough?
Questions remain about whether the company has adequately assured users that its platform is secure. Meanwhile, Zoom has become the venue for more and more sensitive gatherings—from doctor’s meetings, to school conferences, to simple chats with close friends.
“Just personal contact is a sensitive thing,” Gillmor said. “I want to be able to have a conversation without being concerned that it’s going to be potentially monetized or used against me or the person that I’m talking to.”
Some of those virtual meetings are still facing disruption. Zoom bombing, for one, still isn’t unheard of. As recently as this month, virtual court hearings and high school events were still being targeted.
And while Zoom has released its technical preview of end-to-end encryption for all users, the company is still in the process of expanding the service. In its October blog post, Zoom said it would be continuing to expand its end-to-end encryption offerings into 2021.
There are still questions, too, about whether regulators have taken firm enough action against Zoom to prevent future incidents. The FTC was split among its five commissioners on whether to approve its agreement with Zoom, as two said the agreement’s terms didn’t go far enough. “Zoom’s alleged security failures warrant serious action,” Commissioner Rohit Chopra said in a dissenting statement. “But the FTC’s proposed settlement includes no help for affected parties, no money, and no other meaningful accountability.”
Another commissioner, Rebecca Slaughter, also disapproved of the agreement.
“For a company offering services such as Zoom’s, users must be able to trust that the company is committed to ensuring security and privacy alike,” Slaughter said.