Zoom (ZM) has experienced stratospheric growth amid the global coronavirus pandemic, but its rapid rise was nearly derailed by security flaws in the video chat service, including now-notorious “Zoom-bombings.”
A series of publicly communicated security fixes and a 90-day pause on feature upgrades to focus on nothing but the service’s safety and privacy features helped turn around what could have been a disaster for Zoom, which Yahoo Finance named Company of the Year this week.
The company’s main security flaws included the fact that passwords and waiting rooms for incoming users were turned off by default and that its advertised end-to-end encryption didn’t actually exist. Part of the issue was that Zoom was initially designed for businesses, rather than individuals, and only became popular with everyday consumers after the pandemic forced everybody indoors and away from their loved ones.
“Look, we have use cases that we had not seen before, new, brand new use cases for the product, and those might require different setups. Things that maybe were an optional feature we make default now,” Zoom chief marketing officer Janine Pelosi told Yahoo Finance.
Security experts see the improvements at Zoom as a welcome step.
“They made positive changes in the way they protect data,” Justin Cappos, a computer scientist at NYU’s Tandon School of Engineering, told Yahoo Finance. “As these issues come up and become more prevalent, they are working to try to address them, which is also good.”
In its last four fiscal quarters, the company saw year-over-year revenue growth of 78%, 169%, 355%, and 367%. And while traditional enterprise customers make up the lion’s share of those massive increases, consumers have also flooded the service looking to keep in touch with friends and family via Zoom birthday parties, weddings, reunions, or just to get virtual drinks.
A service that wasn’t meant for consumers becomes a lifeline
Zoom was founded in 2011 and has largely operated as a platform designed for enterprises and universities since. But the pandemic changed all of that. Suddenly, consumers of all stripes were using the software, which includes a free 40-minute use option.
What’s more, K-12 schools around the world began taking advantage of the service to ensure children forced to learn from home could continue receiving an education.
But as lockdowns took hold in March, security problems started to crop up. The most widely publicized issue was so-called “Zoom-bombings,” which saw unwanted users join meetings and curse, spew racist language, or screen share pornographic images.
The matter became such a problem that the FBI issued an alert on the topic and the New York City Department of Education, which oversees the largest school system in the country, pulled the plug on Zoom for its 1.1 million students in April before eventually allowing kids to Zoom again in May.
But that wasn’t all. The company also faced a number of class action lawsuits in relation to security lapses, and a Washington Post investigation found that recorded user videos involving everything from therapy sessions to elementary school classes were being stored unprotected on the open web for days before finally being transferred to Zoom’s secure cloud. (There is a HIPPA-compliant version of Zoom, which meets the patient privacy standards set by the act.)
A New York Times investigation, meanwhile, uncovered a data-mining feature connected Zoom users’ to their LinkedIn profiles, allowing other meeting participants to view profile information without users’ consent. There were also questions raised about why the company was sending chats through China, and why certain security features were turned off by default — including a waiting room option and meeting passwords.
Perhaps most troubling was the fact that Zoom had advertised that it offered end-to-end encryption when in fact, it didn’t, as The Intercept reported in late March. Not long after that report, in early April, CEO Eric Yuan said Zoom would focus specifically on security.
“I would say we had a couple things going on in March that really sort of brought things to a head,” Zoom COO Aparna Bawa told Yahoo Finance earlier this month.
“Number one...the influx of new users, new consumer use cases on Zoom that we weren't necessarily prepared for and, you know, more people having very large meetings that they publicly posted, you know, meeting numbers for online, for good reason, because you couldn't meet in person.”
Part of the reason Zoom ran into such a rush of privacy and security issues, Bawa explained, was that IT departments wanted the freedom to choose how they set up the service.
“So we have enterprises that say, I don't want your waiting rooms. I'll take your passcodes, but you know, I want an authenticated user experience only, so I'll only let authenticated users from my company with a domain name join your meetings,” she said. “And so they can sort of configure the Zoom experience for them and what they prioritize.”
Consumers, however, don’t tend to think of whether certain security features have been enabled by default, and that, alongside Zoom’s focus on the enterprise, led to the security problems.
The 90-day feature pause resulted in the release of Zoom 5.0 on April 27, which included security improvements including turning passwords and waiting rooms for video chats on by default for most users, and a new Security tab that pointed users to important chat settings.
The company also bought Keybase, a firm specializing in end-to-end encryption for video chat services. The feature began rolling out as a technical preview in October.
More recently, Zoom has debuted items including a notification for at risk meetings that have been shared publicly online.
“This happens all too often,” Bawa explained. “Sadly, it's a good use of Zoom to allow for, you know, distributed connection, but this feature allows them to understand that their meeting ID has been posted publicly, and it gives them the option and encourages them to make their meeting private, which is really important.”
In November, the Federal Trade Commission reached a settlement with Zoom over accusations that it misled consumers about its security and encryption capabilities, reaching a deal requiring the company to implement various new safeguards including multi-factor authentication. In a release on the settlement, Andrew Smith, director of the FTC’s Bureau of Consumer Protection, pointed out just how ubiquitous Zoom’s technology has become amid the COVID-19 outbreak.
“During the pandemic, practically everyone — families, schools, social groups, businesses — is using videoconferencing to communicate, making the security of these platforms more critical than ever,” he said in the release. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
Got a tip? Email Daniel Howley at firstname.lastname@example.org over via encrypted mail at email@example.com, and follow him on Twitter at @DanielHowley.
More from Dan: