Learning the Hard Way: Zoom and the Public Face of Security and Privacy
“Coronavirus,” “social distancing,” “contact tracing,” even the word “pandemic” have all suddenly and unexpectedly entered our daily vocabulary.
So too with “Zoom.”
Forced away from colleagues, friends, and family, people turned to “Zooming” each other for everything from work to virtual happy hours, family chats to online learning.
They dated on Zoom. They got “zoom-bombed.” Heck, people have even tied the knot on Zoom.
“No tech company has seen its profile change so radically during the coronavirus pandemic as Zoom, which has become a household name in a matter of weeks,” wrote Kevin McLaughlin in The Information.
Not All Good Publicity
Much of that attention has been good for Zoom, as the number of daily meeting participants skyrocketed from 10 million daily meeting participants in December 2019 to more than 300 million daily participants by early April 2020.
But what should have been every tech CEO’s dream quickly morphed into a nightmare when a series of privacy and security flaws were very publicly revealed, followed by a series of lawsuits and “bans” on the use of Zoom coming from the likes of the New York City Public School system, the Pentagon, the US Senate, and Google, among many others.
The list of problems came so thick and fast that several news sites published timelines to help people keep up; CNET’s timeline strikes me as the most complete, and I’ll refer you there rather than go over the gory details.
An Opportunity to Learn
This is no “rise and fall” story however, nor is it a deep dive on the privacy and security flaws that existed when Zoom went boom.
Instead, I want to look at what we can learn from Zoom’s rapid and refreshingly honest response to the crisis, which stands as a model for how companies can survive the (inevitable) revelation that their software isn’t perfect.
I also want to consider some of the lessons anyone involved in building software should draw from Zoom’s sprint to maturity around security and privacy.
When Faced with Flaws, Refreshing Honesty Prevails
When I heard of some of the first Zoom security vulnerabilities late in March—the transfer of user analytics data to Facebook, followed by the first of the classroom “Zoombombings”—I cringed. I pictured lawyers holed up with company executives (virtually of course) crafting carefully worded evasions while the developers scrambled to fix the bugs.
But Zoom didn’t live by the “play it safe” script we’ve seen other tech companies run when faced with embarrassing revelations. The company, led by CEO Eric Yuan, came forward with an approach that was both rare and refreshing: honesty and transparency.
A Breath of Fresh Air
In a widely shared blog post, Yuan wrote in detail about the challenges of the sudden explosion in Zoom usage, especially among home users and schools, often without existing IT support.
And in an interview with NPR reporter Ari Shapiro, Yuan said “I never thought about [harassment] seriously” before the uptick in Zoombombings in March. A year earlier, continued Yuan, he would have hesitated to say the company needed to take security seriously.
What a difference a year makes.
“Now,” he continued, “we’re going to transform our business to a privacy-and-security-first mentality…. When it comes to a conflict between usability and privacy and security, privacy and security [are] more important – even at the cost of multiple clicks.”
He immediately committed the company to spending 90 days prioritizing security and privacy issues over new features. Within days, Zoom updates were pushed to users, demonstrable proof of the company’s commitment.
Candor Leads to Trust
Now I’m no Zoom “fanboy” or apologist; I have no connection to the company other than being a user through my company account. But I’m a big fan of candor and transparency and I, like many others in the cybersecurity space, found Zoom’s approach admirable.
“It’s a rare case of a company acknowledging their problems, admitting they made mistakes and misleading statements, and laying out concrete steps to fix it,” Gennie Gebhart, associate director of research at the digital rights group Electronic Frontier Foundation, told Washington Post reporter Joseph Marks.
Across the tech community, people heralded the transparency and commitment.
I’d like to think people kept using Zoom through this challenge because they appreciated the honesty and transparency everyone at the company demonstrated during this tough time.
The lesson I hope executives will draw from this is that honestly admitting flaws and then actively engaging in fixing them can go a long way in winning the trust of users.
Learning from Zoom’s Issues
It’s been delightful to see a company demonstrate the “right” approach to addressing security issues.
It would be even more delightful if all companies that built software—hell, all companies collecting data from employees and customers, for that matter—would take some cues from this very public come-to-Jesus moment around protecting data.
Here are a few things all companies might consider:
- Top-level executives embracing privacy and security as pillars of long-term success, alongside user count and revenue growth
- Dev teams incorporating security- and privacy-by-design practices into their development methodologies
- Dev team managers insisting those involved in product development—from the product management team through to coding and QA—understand the importance of secure coding practices to avoid common vulnerabilities.
- Software teams using pen testing and bug bounty programs to ensure their work is rock solid before release.
- Employees at all levels and in every position understanding that the best customer experience comes when the customer trusts you have the privacy and security of their information and their experience at heart. This is the work of a training and awareness program emphasizing a consistent and ongoing commitment to data protection.
We’re all going to come out of this strange period in our collective history having learned a thing or two.
Some of these things are trivial, like check your hair before your first Zoom meeting and don’t wear tight pinstripes with a virtual background.
But there are lessons we can learn from Zoom that are pretty profound:
- Be honest when you’ve screwed up
- Do your best to make things right
- Learn from the mistakes of others
You won’t get it perfect, but it’s the trying that matters.
I can’t help but recommend you review the detailed letter about Zoom’s commitment to privacy and security on its website; it’s a model for what I’m talking about.