As businesses, schools and other organizations were forced to quickly, and sometimes haphazardly, move their operations online amid the COVID-19 pandemic, they embraced a number of tools making that shift possible. Among them: Zoom, a video conferencing service that’s seen a huge increase in usage by everyone from teachers to coworkers to friends looking to host group hangouts with one another. Zoom had 10 million customers at the end of 2019, three months later it finds itself with 200 million — not to mention a stock price that’s up nearly 80% on the year in an otherwise largely catastrophic market.
Growth being the name of the game in Silicon Valley, almost any tech giant would gladly welcome that kind of meteoric rise. But along with the overnight popularity came increased scrutiny. Privacy experts have sounded all sorts of alarms about Zoom, ranging from the rise of “Zoombombing,” or the practice of uninvited interlopers invading chats, to a deadly serious flaw that reportedly allowed hackers to take over a victim’s webcam and microphone. Some have raised concerns about the company’s ties to China, a country with little respect for privacy rights. Motherboard reported that Zoom was sending information to Facebook via the social network’s analytics tools. The New York Times found the company was linking users who wanted to remain anonymous to their LinkedIn profile. Wired looked into questions about Zoom’s end-to-end encryption, a technology meant to keep chats hidden from prying eyes and ears.
All this attention has put Zoom CEO Eric S. Yuan on the defensive. In an interview with TIME, the 50-year-old chief executive was candid about the company’s issues in handing the sudden demand. He argues that Zoom was always meant as an enterprise product — meaning a service for businesses, not personal users — and thus wasn’t designed with personal privacy top of mind. But he also understands that the company needs to reevaluate its priorities to meet this unusual moment.
“We’re learning that, when it comes to enterprise users or otherwise, privacy is very important,” Yuan tells TIME. “Some features might work well for enterprise customers and may not work for consumers. You’ve got to have balance.”
Yuan, who left China in the 90’s to join the engineering team at WebEx (which in 2007 was acquired by Cisco Systems, where he became Corporate VP of Engineering), says that Zoom has quickly worked to address privacy issues and other problems.
“Overnight, we signed on so many users, we tripled our capacity, offered K-12 schools free services, it was very exciting,” Yuan says. “But we needed to train [users], because quite often they do not have I.T. resources. We needed to change some security settings, like password enforcement on day one. But we learned a lesson, we quickly made a change.”
Indeed, Zoom is taking what some privacy experts say are commendable efforts to address its issues. It recently announced a 90-day plan to focus on privacy rather than flashy new features, as well as brought on Alex Stamos, a well-respected privacy expert who was formerly Facebook’s chief security officer, as an outside advisor.
Gennie Gebhart, Associate Director at pro-privacy nonprofit Electronic Frontier Foundation (EFF), says such moves are welcome after what she describes as years of the slow erosion of people’s right to privacy.
“More and more of our daily lives are being mediated by third parties, and we’ve been living in that moment for decades,” says Gebhart. “But third parties often don’t have your privacy and your right to be left alone as their first interest. We’re seeing this totally new violation of that right to be left alone in increasingly intimate settings that I don’t think Zoom was made for originally, but that it’s now trying to step up to.”
Some of the issues people have had with Zoom can be fixed with more careful use. Zoombombing, for instance, can largely be prevented if users follow the company’s recommended practices. The company has addressed many of the aforementioned problems, too — that webcam and microphone flaw was quickly fixed, and Zoom has gotten rid of the offending Facebook and LinkedIn ties. But the company’s reputation is already suffering. New York City’s Department of Education, for instance, recently advised teachers to drop Zoom “as soon as possible,” citing security concerns.
For a company like Zoom, education is a particularly tricky minefield to navigate. Minors have privacy protections that adults do not, thanks to laws like the Children’s Online Privacy Protection Act (COPPA) and the Family Educational Rights and Privacy Act (FERPA). When teachers suddenly had to scramble to get their classrooms online as schools shut down, many choose Zoom as an ad-hoc remote learning platform, sometimes without the involvement of a professional I.T. team. Now that the dust has settled, some educators are reevaluating whether Zoom was the right choice.
“Teachers will sign up for a free basic account, and that’s not actually compliant,” says Nathan McNulty, an education security expert who works in Oregon. “I think that’s what New York City schools are trying to rein in. It’s a mess, it’s a big mess.” He says that schools and teachers weren’t able to properly vet services like Zoom before they were expected to move their classrooms online. “They’re not just going to hop into Google and search ‘Zoom best security practices,’ right?,” says McNulty. “You need an I.T. person who knows that’s an issue, because you don’t know how much you don’t know.”
McNulty says that, for educators already on Zoom, moving to something else now could be more trouble than it’s worth. “I would still recommend Zoom, at least if you’re already on it,” he says. “To say, ‘oh sorry, you can’t see your class because we’re setting up something new,’ I feel for the impact that this is having on the kids. I just want them to be able to connect, because the human side is more important than just making sure everything has perfect security and perfect privacy,” he says. “But that’s not a very popular opinion in information security.”
Other experts say Zoom and other similar services need to embrace “privacy-by-default,” or the idea that services should be built for privacy from the ground up. “No one should need a computer science degree, or a law degree, or have their weekends free to work on the new project of protecting their privacy from all these enemies they’ve heard of and even more they’ve never heard of,” says Gebhart, from the EFF. “That’s not a sustainable solution, and we need sustainable solutions. We’re settling in for a marathon.”
For Yuan, while the sudden growth has certainly been exciting, he’s eager to get out of the spotlight and back to focusing on enterprise customers.
“I don’t think we know how to play in the consumer market, but we do know how to focus on privacy and security,” he says. “It doesn’t mean we want to be in the consumer market. This is a crisis, we want to help. After it’s over, we want to go back to serving our existing enterprise customers.” But given how long we may find ourselves social distancing, Zoom may be in the consumer business for some time.