Zoom had a remarkable first week of April. Actually, all of March was a spectacular month for conferencing providers across the sector. The coronavirus (COVID-19), provided a compelling event for organizations and individuals to embrace remote work. It will be a few more weeks to quantify the impact, but many providers have shared significant spikes in usage.
When Zoom received the most attention, it wasn’t pretty. Several experts revealed security issues at Zoom, alarming enough that the
FBI issued a public warning about its services. Zoom also received several mainstream articles outlining vulnerabilities on popular non-technical news sites such as the
Washington Post,
NPR,
BBC, and
Forbes. Several enterprises responded by discouraging or banning the use of Zoom.
Zoom responded with three separate blog posts to apologize and reassure customers of corrective actions. Zoom definitely has some fault here, but it’s also the victim of a very dynamic situation. It got caught in the crossfire of three separate events: a global pandemic, a shift in user requirements, and US-China mistrust. COVID-19 catapulted Zoom and other providers into a whirlwind of unprecedented demand. For the past several years, Zoom has been steadily growing. As of December 2019, the company was serving about 10 million meeting participants daily — that effectively took a decade to accomplish. In the first three months of 2020, Zoom saw a twenty-fold increase in usage as it just reported it hit
200 million daily users.
Too much of anything can be bad, and that includes growth – such increase stress-tests organizations including capacity planning, cash and cash flow management, operations, and customer support. Most conferencing providers have been scrambling to accommodate demand in March. Shortcuts are necessary at times like these, and it appears Zoom took some that it will regret.
The second issue occurred more gradually over 2019, and that’s a general increase in security awareness. For close to a decade, the top priority across the enterprise communications sector was ease-of-use. A big part of Zoom’s success has been how it streamlined and simplified the video conferencing experience. Zoom offers a freemium service, so getting users to trial the product is the first step. Ease-of-use leads to wider adoption, which leads to paid subscriptions.
It’s been a gradual change, but security has increased in importance, possibly even replacing ease-of-use as a top priority. There was no single event that did it. But we had an exhausting year of breaches, abuse realizations from brands such as Facebook, and new regulations such as GDPR and the California Privacy Act have all promoted the awareness and priority of security. Enterprise leaders are more concerned about information security than ever before. That’s why communications security was selected as the theme for this year’s Innovation Showcase at
Enterprise Connect 2020.
The third issue is the declining trust between the U.S. and China. This has been building for about two years. Last September, China blocked domestic access to Zoom’s global service. Zoom created a new Zoom service for China, separate from its global service. However, we recently learned that servers in China were still supplementing global capacity. Zoom says this was a mistake and it has been corrected after learning the issue itself from researchers. The result is that it was possible that U.S. participants and other users may have utilized services hosted in China. It was a reminder that Zoom has significant development and an operational presence in China.
China is a sensitive topic. Concerns stem from a 2017 Chinese intelligence law that requires companies and citizens there to assist in state intelligence work if/when requested. That includes the sharing of data and information. Zoom is an American company, so it is not directly impacted by this law. However, Zoom does a considerable amount of development in China in partnership with Chinese owned companies, which was outlined last week in a report by the University of Toronto’s
Citizen Lab.
The report further identified that those servers in China utilized non-standard encryption techniques. That involved a method of encryption with known weaknesses, including the transmissions of keys between regions. In its response blog post to the report, Zoom confirmed it had failed to follow its geo-fencing guidelines when it added capacity, but did not respond to the encryption issues. Zoom has developed most of its own technologies.
Now What?
Eric Yuan, the CEO and founder of Zoom, has called a time-out. The company is freezing its feature updates to focus on its security and privacy issues
(see related No Jitter article). “Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively,” explains Yuan. “We are also committed to being transparent throughout this process.” That seems like an appropriate response, but that’s the easy part.
It’s a fascinating reversal of fortune. Zoom has become a household name and is strongly associated with video in a time when everyone is evaluating video. It’s ease-of-use, and the freemium model has made it a logical go-to solution as organizations seriously experiment with video communications. Social media is filled with creative virtual backgrounds, and Zoom has reached the coveted verb status, as in “I’ll Zoom you.” Now, suddenly Zoom is in a major crisis and must urgently rebuild goodwill and trust.
I’ve always been willing to give Zoom some leeway because it has done so much good for enterprise communications. I believe that most providers, including Cisco with Webex and Microsoft with Teams, are better because of Zoom. The company has made video conferencing simpler and better. However, it did this by favoring ease-of-use.
“Zoombombing,” for example, became a popular concern last week. It’s when uninvited participants are able to attend and disrupt a meeting. The resolution is a change in default security permissions that Zoom has already implemented. In fact, a few recent changes at Zoom (new meeting lobby rules, required passwords, the removal of Facebook for simplified authentication, and changes to default sharing permissions) have made the service more secure (and more like its primary competitors).
But research from Toronto sheds a darker light on Zoom. The issues aren’t just about favoring ease-of-use, but misrepresentation. Zoom incorrectly suggested that its meetings were using end-to-end encryption. They weren’t, and the encryption used has vulnerabilities. Routing domestic traffic through China, without user consent or knowledge, makes it even worse.
In the cloud-era, we must trust our providers. Trust takes time to build and seconds to lose. The way to build trust is to be transparent. That includes using standards (such as TLS and AES encryption). It also means sharing the results of internal and external security audits and specifying security improvements in release notes.
It’s also about being very clear about when security becomes weakened. For example, does the inclusion of a foreign participant reduce security? How about the use of a SIP trunk or room system? Does recording or transcription services lower security? In most cases, the answers to these situations are yes, but it can be pretty difficult to ascertain. I’d love to see a security color or score in real-time displayed to all participants during the meeting.
In fairness, security isn’t equally important to all organizations. While I suspect the U.K. government will stop using Zoom for his cabinet meetings, there’s less urgency for K-12 education to make changes. Also, I wouldn’t underestimate Zoom’s ability to recover from this. The company is very agile and will undoubtedly respond with improved security. If zoom addresses security with simple, easy to understand options, it may even end up with a competitive advantage.
Meeting technology is rapidly evolving. Speech can be recorded and transcribed, and voices can be recognized. As they say in the movies, “anything you say can and will be used against you.” “Maybe not today. Maybe not tomorrow, but soon and for the rest of your life.”