Zoom is a week shy of celebrating its first year as a public company, and in that time the platform stole market share from industry stalwarts and became the social-enabling platform of choice for many in quarantine.
The coronavirus made Zoom a headline story — for better and for worse.
It might be tempting to believe Zoom's flaws were intentionally hidden, it's more likely popularity brought scrutiny — something all prominent technologies have to bear at some point.
"To give Zoom the benefit of the doubt, it is completely common for applications to be available for long periods of time before vulnerabilities are discovered," Chris Rothe, co-founder and chief product officer, Red Canary, told CIO Dive. Even Microsoft Windows addresses flaws every Tuesday.
While businesses are in a health and economic crisis, industry has little patience for mistakes. On April 8, Zoom shareholder Michael Drieu filed a class action lawsuit against the company for its for its privacy standards and end-to-end encryption claims. Zoom did not immediately respond to requests for comment.
"It is a well understood law attributed to Bruce Schneier that you should not 'roll your own' cryptography. For whatever reason, Zoom didn't follow this law," said Rothe. The result? "A sub-par encryption scheme" that unraveled into more privacy implications.
While Zoom has gained critics, it still has loyal users.
As vocal as Zoom CEO Eric Yuan has been in his push to make Zoom a privacy- and security-first platform, some users have no reservations, according to Rothe. "Most enterprises I know of who used Zoom prior to the COVID-19 crisis are unphased by this outrage largely because Zoom works really well compared to its competitors and the security risks are acceptable."
The Intercept and white hat hackers revealed Zoom's definition of E2E encryption was more of an interpretation of transport encryption. A Zoom spokesperson confirmed to The Intercept E2E encryption isn't enabled for video meetings, despite the company's security white paper stating otherwise.
With true E2E encryption, Zoom wouldn't be able to access video transcripts or content.
Zoom's high-profile, misleading security claims will likely live beyond the pandemic, Mark Bower, SVP at Comforte, told CIO Dive. It's a warning for claims that "washed over with tenuous compliance statements, or are demonstrably untrue."
The transport layer security method Zoom uses is common among its video rivals, including Cisco Webex and Skype for Business. E2E encryption for collaboration platforms is difficult.
Consider a user on a landline, said Bower. Encryption doesn't factor in.
Because people have a tendency to color security as an absolute solution, vendors are given very little wiggle room for gray areas.
While regulators and privacy laws are giving security compliance some teeth, companies that offer free services are not always transparent in how they monetize their offering. It's often portrayed as a fair trade.
Privacy concerns were amplified after Motherboard discovered Zoom shares a portion of analytics data to Facebook without user explicit consent. Facebook was notified when users open their Zoom app, sending along information regarding device model, location, time zone and phone carrier, according to the report. From there, a unique advertiser identifier is derived from the device, used for personalized ads.
"Collecting and selling data is not a new issue, and many employees casually use free services under the radar of their companies legal and security teams," Tony Anscombe, chief security evangelist at ESET, told CIO Dive.
Zoom's security A-Team
The effects of Zoom's lack of E2E encryption are rippling across the world; Taiwan, Germany and U.S. organizations, including SpaceX and the New York City Department of Education, are asking for entities to prohibit the platform.
As of Wednesday, Google is issuing a ban of the platform for employees, according to BuzzFeed News. While Google offers a Zoom competitor, Meet, employees were told Zoom would no longer work on their devices.
"Once it became clear, it caused many to react very strongly that Zoom was not safe for use," said Rothe.
Yuan admitted the exponential growth highlighted the company's "missteps," saying the platform was primarily suited for organizations with a dedicated IT team.
In December, Zoom had about 10 million daily meeting participants. By March, its scalability was challenged by the coronavirus outbreak, reaching more than 200 million participants.
The dramatic escalation disrupted Zoom's existing privacy posture faster than it could catch up, which brought on critique from the InfoSec community.
"I am sick of people pushing non-empirical ideas of privacy," referring to using credentials across platforms, specifically Facebook, wrote Alex Stamos, former Yahoo and Facebook security chief, in March.
Facebook is capable of "catching 500,000" stolen credential logins daily, according to Stamos. He called out "privacy theater" after Zoom removed its Facebook login software development kit, which could lead to further credential stuffing.
While he defended Zoom, Stamos called on the video conferencing to "demonstrate more transparency" and a feature freeze.
Yuan published an open letter doing just that. Following Yuan's invitation, Stamos joined Zoom as an outside advisor on Wednesday. "To successfully scale a video-heavy platform to such a size, with no appreciable downtime and in the space of weeks, is literally unprecedented in the history of the internet," said Stamos.
To resurrect Zoom's reputation and security, the company tapped other experts, including SBC, NTT Data, Procore, and Ellie Mae, to guide its 90-day plan. "Some of the most well-respected CISOs in the world have offered us their time and services," wrote Yuan on Wednesday. The company's CISO Council will have a subset of advisors, including Stamos, who report directly to the CEO.