Eric Yuan, CEO of Zoom

What was the Accusation?

Zoom, a cloud-based video conferencing platform saw its usage rate increase by 1,900% in March of 2020 when millions of people worldwide were forced to work from home due to the rapidly spreading COVID-19 pandemic.  The software, originally designed for large businesses with in-house IT departments, was now being used in ways not anticipated by the designers.  People were using Zoom for weddings, religious services, and even happy hour drinking parties.  This rapid expansion of Zoom (from 10 million users in December of 2019 to 200 million in March of 2020) exposed major security holes as hackers engaged in the practice of “Zoom-bombing” where meetings were infiltrated with racial slurs and pornographic images.  In response to these security breaches, Eric Yuan, CEO of Zoom, issued a memo reassuring users that the company was enacting numerous measures to prevent future interference with Zoom meetings.

Key Apologia Strategies:

Corrective Action, Bolstering, Defeasibility

Video

Transcript

Official Memo to Zoom Users:

To our Zoom users around the world,

Whether you are a global corporation that needs to maintain business continuity, a local government agency working to keep your community functioning, a school teacher educating students remotely, or a friend that wants to host a happy hour to spark some joy while social distancing, you are all managing through unique challenges brought upon by this global health crisis. During this time of isolation, we at Zoom feel incredibly privileged to be in a position to help you stay connected.

We also feel an immense responsibility. Usage of Zoom has ballooned overnight, far surpassing what we expected when we first announced our desire to help in late February. This includes over 90,000 schools across 20 countries that have taken us up on our offer to help children continue their education remotely. To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid. We have been working around the clock to ensure that all of our users new and old, large and small can stay in touch and operational.

For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s and our own privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.

First, some background: our platform was built primarily for enterprise customers large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.

However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.

These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users.

We take them extremely seriously. We are looking into each and every one of them and addressing them as expeditiously as we can. We are committed to learning from them and doing better in the future.

But before I lay out how we intend to improve, I want to share what we have done so far.

What we’ve done

With the flood of new users, part of the challenge is ensuring that we provide the proper training, tools, and support to help them understand their own account features and how best to use the platform.

• We’ve been offering training sessions and tutorials, as well as free interactive daily webinars to users. We have proactively sent out many of these resources to help familiarize users with Zoom.

  • Trainings and tutorial webinars

  • Live daily demos

  • Upcoming webinars

  • Video trainings

  • Webinar sign-ups for various platform trainings

• We are taking several steps to minimize customer support wait times when they reach out with questions.

• We’re listening to our community of users to help us evolve our approach.

We have also worked hard to actively and quickly address specific issues and questions that have been raised.

• On March 20th, we published a blog post to help users address incidents of harassment (or so-called Zoombombing) on our platform by clarifying the protective features that can help prevent this, such as waiting rooms, passwords, muting controls, and limiting screen sharing. (We’ve also changed the name and content of that blog post, which originally referred to uninvited participants as party crashers. Given the more serious and hateful types of attacks that have since emerged, that terminology clearly doesn’t suffice. We absolutely condemn these types of attacks and deeply feel for anyone whose meeting has been interrupted in this way.)  

• On March 27th, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users.

• On March 29th, we updated our privacy policy to be more clear and transparent around what data we collect and how it is used explicitly clarifying that we do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward.

• For education users we:

  • Rolled out a guide for administrators on setting up a virtual classroom.

  • Set up a guide on how to better secure their virtual classrooms.

  • Set up a dedicated K-12 privacy policy.

  • Changed the settings for education users enrolled in our K-12 program so virtual waiting rooms are on by default.

  • Changed the settings for education users enrolled in our K-12 program so that teachers by default are the only ones who can share content in class.

• On April 1, we:

  • Published a blog to clarify the facts around encryption on our platform acknowledging and apologizing for the confusion.

  • Permanently removed the attendee attention tracker feature. (updated 4/2 to clarify that it’s permanently removed)

  • Released fixes for both Mac-related issues raised by Patrick Wardle.

  • Released a fix for the UNC link issue.

  • Permanently removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature. (updated 4/2 to clarify that it’s permanently removed)

What we’re going to do 

Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes:

• Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.

• Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.

• Preparing a transparency report that details information related to requests for data, records, or content.

• Enhancing our current bug bounty program.

• Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.

• Engaging a series of simultaneous white box penetration tests to further identify and address issues.

• Starting next week, I will host a weekly webinar on Wednesdays to provide privacy and security updates to our community.

Transparency has always been a core part of our culture. I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps of their own to best use and protect themselves on the platform.

We welcome your continued questions and encourage you to provide us with feedback our chief concern, now and always, is making users happy and ensuring that the safety, privacy, and security of our platform is worthy of the trust you all have put in us.

Together, let’s build something that can truly make the world a better place!

Be well,

Eric S. Yuan

Founder and CEO, Zoom

Sources

After Zoom calls hacked with racial slurs and pornography, CEO admits “mistake.” (2020, April 2). CBS News. Retrieved from: https://www.cbsnews.com/news/zoom-bombing-calls-hacked-racial-slurs-pornography/

Hamilton, I. A. (2020, April 2). Zoom’s CEO apologizes for its many security issues as daily users balloon to 200 million. Business Insider. Retrieved from: https://www.businessinsider.com/zoom-ceo-sorry-privacy-security-2020-4

Snider, M. (2020, April 2). Zoom to focus on security, privacy, CEO says, as usage booms during coronavirus crisis. USA Today. Retrieved from: https://www.usatoday.com/story/tech/2020/04/02/zoom-ceo-apologizes-pledges-security-privacy-focus-video-service/5110672002/

Yuan, E. (2020, April 1). A message to our users. Zoom Blog. Retrieved from: https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/