Zoom’s CEO apologizes for its many security issues as daily users balloon to 200 million.

Zoom’s CEO apologizes for its many security issues as daily users balloon to 200 million.

Zoom

Zoom CEO Eric Yuan has apologized for the videoconferencing service’s many privacy and security issues, saying it was originally built to service businesses with dedicated IT departments, not millions of consumers.

Zoom offers a video-calling service and has seen usage explode since January, as the coronavirus pandemic forces white-collar employees to work from home.

In a blog post published Wednesday, Yuan said usage had exploded 1900%, with daily free and paying users up from 10 million at the end of December to 200 million in March.

But the increased usage has meant increased targeting by hackers, trolls, and growing scrutiny from the press.

Trolls have taken to “Zoom bombing” meetings, dropping in graphic content and even taunting members of Alcoholics Anonymous meetings.

Reports also emerged just this week that Zoom was not end-to-end encrypted as it claimed in its marketing materials, and that the company had inadvertently leaked thousands of users’ personal emails and photos. The firm was also hit with a class-action lawsuit for allegedly handing data to Facebook.

Yuan apologized for the security issues, noting that most have now been fixed.

“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” he wrote.

“We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”

He added: “We recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”

Here are all the measures Yuan says Zoom is taking to make its platform safer:

1. Yuan will host a weekly webinar with security updates.

Starting next week the webinars will take place at 10 a.m. PT on Wednesdays.

2. A total feature freeze

Yuan said effective immediately the company won’t release any new features, instead focusing on shoring up its existing technology, and “focusing on shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.”

3. Zoom is bringing in outside experts to review its security.

Yuan said Zoom will be conducting a comprehensive of its security using third-party experts and “representative users.”

4. It will prepare and release a transparency report

Yuan gave no indication of when the transparency report will be out, and the only detail he gave was that it would contain “information related to requests for data, records, or content.”

One worry about Zoom’s current setup is that it technically could access people’s call footage, and could potentially hand that over to law enforcement because the footage is not end-to-end encrypted. Zoom has said it doesn’t access people’s call data.

5. Zoom is beefing up its bug bounty program

Many big tech companies offer bug bounty programs, which encourage ethical hackers to find chinks in the company’s security in return for cash.

Yuan did not say how much money Zoom is going to funnel into its bug bounty program.

Last year Zoom’s approach to bug bounties came under scrutiny after a researcher found a serious bug which meant malicious websites could remotely switch on the webcams on Mac computers. The researcher turned down Zoom’s offer of a bug bounty payout because the company demanded he sign a non-disclosure agreement, which would have stopped him disclosing the bug more widely.

6. The firm will set up a council for chief information security officers

A chief information security officer (CISO) oversees cybersecurity within a company. Yuan said he will set up a council with “leading CISOs from across the industry” to discuss security and privacy best practices.

7. Internal penetration tests

White-box penetration testing means looking for security flaws from within an organization, with an intimate knowledge of its infrastructure, as opposed to black-box penetration where you start looking for weaknesses with no or little prior knowledge.

Leave a Reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest