The Guardian (USA)

Zoom says engineers will focus on security and safety issues

- Alex Hern UK technology editor

Zoom, the hit video conferenci­ng platform, will freeze new feature developmen­t and shift all engineerin­g resources on to security and safety issues, its founder has said..

The move comes as the company battles the damage caused by a string of minor scandals ultimately related to the same scrappy approach that enabled it to capitalise on the wave of global lockdowns in the first place.

“We have fallen short of the community’s – and our own – privacy and security expectatio­ns,” said Zoom’s founder and CEO, Eric Yuan, in a blogpost on Thursday. “For that, I am deeply sorry.”

Since it began gaining hundreds of thousands of users a day, Zoom has come under increasing scrutiny from privacy campaigner­s, security researcher­s, and members of the public, who have found faults in the platform’s programmin­g, policies, and practices.

Some stem from the fact that a tool originally designed for enabling corporate communicat­ions has been repurposed for a wide range of consumer uses, from strangers meeting up for virtual “happy hours” to children’s book groups and remote sessions of Dungeons and Dragons.

But others relate to the company’s approach, modelled on the notorious Facebook maxim “move fast and break things”, of finding unorthodox solutions to problems, which may not always hold up under closer inspection.

“There’s a difference between being able to pivot on top of a solid foundation,” says Vincent Roffers, executive strategy director at branding strategist­s Superunion, “and the path where they have at some level cut corners a bit,” in terms of the way they’ve created their product.

The most public problem facing the company has been the rise of “Zoombombin­gs”, when trolls join public

video chats to wreak havoc among their members by broadcasti­ng pornograph­y, hurling abuse, or undressing in front of their webcam. Zoombombin­gs are possible because the company’s product is built for use in cases where every caller is part of the same company, or already known to each other, security experts say – an assumption that no longer fits after weeks in lockdown.

“We now have a much broader set of users who are utilising our product in a myriad of unexpected ways,” Yuan said, “presenting us with challenges we did not anticipate when the platform was conceived.” Zoombombin­gs can be prevented by changing the app’s settings, Zoom said in late March as the problem was growing. And other tools, such as YouTube or Twitch livestream­s, may be more appropriat­e for some uses, such as a broadcast of an author reading their book.

Other problems were more baked into the product, however. In July 2019, before it exploded in popularity, Zoom faced an embarrassi­ng security scandal.A researcher discovered that the company installed some code on Macs alongside its app that meant that even if the app was later uninstalle­d, a single click on a web link was all it took to reinstall the app and join a new conference call with mic and camera enabled. Zoom initially defended the flaw for more than 90 days, saying it was a feature intended to make it easy for users to join calls. Only when the researcher went public did the company act. Apple later pushed a software update to all Macs that automatica­lly prevented the feature from working.

That episode left security researcher­s suspicious of the company, and when it burst into the public’s consciousn­ess in March, the suspicion returned. In just a couple of weeks, researcher­s found many more flaws, major and minor, which piled up faster than Zoom could fix them, from a broken promise to provide “end to end encryption” for video calls to bugs that would allow a hacker to gain access to a user’s webcam and microphone.

“So many of Zoom’s poor decisions were about prioritisi­ng growth over security,” said the analyst Ben Thompson. “This crisis, though, more than takes care of growth: it’s up to Zoom to seize the opportunit­y to prioritise security in a transparen­t and verifiable way at a time when all of their customers want them to succeed.”

That’s what the company is promising now, founder Yuan says. Over the next 90 days, it will conduct a “comprehens­ive review with third-party experts”, publish a transparen­cy report, and run penetratio­n tests to find and fix further flaws.

Superunion’s Vincent Roffers believes that is the right approach. “They need to make it right in a way that’s transparen­t that’s visible. The worst thing they could do is retreat and disappear,” he said.

“They’re going to be fine. The thing about branding is, you always have a lot of chances: It’s not about what you do now, it’s about what you do next.”

 ?? Photograph: Albert Gea/Reuters ?? Zoom’s founder Eric Yuan admitted the firm had fallen short of users’ expectatio­ns after security flaws were uncovered.
Photograph: Albert Gea/Reuters Zoom’s founder Eric Yuan admitted the firm had fallen short of users’ expectatio­ns after security flaws were uncovered.

Newspapers in English

Newspapers from United States