Zoom has come under a lot of scrutiny over the last couple of weeks after the COVID-19 crisis led a surge of users to its video conferencing platform. And rightly so–it should be possible to conduct your meetings and chats without privacy violations, or the threat of “Zoom-bombing.”

Zoom, to be fair to the company, has been pretty responsive in communicating with journalists, but there hadn’t been any solid action taken–until now.

Zoom has just announced a series of powerful security and privacy moves in response to growing criticism of its service. One of the most significant is the decision to pause all new features to focus on security during the COVID-19 surge in users–similar to decisions made by Microsoft and Google.

“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively,” Zoom founder and CEO Eric S. Yuan said in a blog. “We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust.”

Zoom’s feature freeze and other security steps

The feature freeze is effectively immediately, and Zoom will be shifting its engineering resources to “focus on our biggest trust, safety, and privacy issues.”

Yuan said the company will also undergo a “comprehensive review” with external experts and users to “understand and ensure the security of all of our new consumer use cases.”

Zoom will prepare a transparency report that details information relating to requests for data, records, or content, and is enhancing its current bug bounty program.

This is in addition to launching a “CISO council” to help counter security and privacy issues, more penetration testing, and a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates.

Fixes for Mac and Windows issues

As part of the blog published on April 1, Zoom also released fixes for Mac issues that could allow hackers to take over your camera or mic, and a Windows problem that could cause passwords to leak.

In addition, it removed the “attention tracking” feature that could allow your boss to see whether you have clicked away from the screen during a meeting, and removed the LinkedIn Sales Navigator after “identifying unnecessary data disclosure by the feature.”

The firm has also published a separate blog to apologize after it emerged that Zoom had been falsely claiming meetings and chats were end-to-end encrypted, when they aren’t.

How Zoom’s surge created a security and privacy nightmare

I care about security and privacy, and Zoom is an amazingly functional app that I have even used myself to help me get through the COVID-19 crisis. But I have so far used the app reluctantly, and only when a viable alternative wasn’t available.

Yet it would be fair to Zoom to acknowledge that its sudden surge in users during COVID-19 –which it never could have planned for–left it with security issues that spiralled out of control. As Yuan said in the blog, Zoom use literally “ballooned” overnight–“far surpassing what we expected when we first announced our desire to help in late February.”

Yuan admits that Zoom did not design the product “with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.”

“We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”

And the figures are quite extraordinary: As of the end of December last year, the maximum number of daily Zoom meeting participants was approximately 10 million. But in March this year, Zoom reached more than 200 million daily meeting participants.

“We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security,” Yuan said. “However, we recognize that we have fallen short of the community’s–and our own–privacy and security expectations. For that, I am deeply sorry.”

With the rapid growth Zoom has experienced recently, ESET cybersecurity specialist Jake Moore says focusing on security “is the honourable thing to do”, but he also says this could be “a little too late.”

“A business model based on selling data to third parties these days doesn’t add up to me. If companies focus on protection of their users, they can still flourish and even protect their own future financially as more people become more privacy focused.”

Zoom is probably the most usable videoconferencing app out there, but it won’t be the choice for security and privacy conscious people at the moment. However, this series of security and privacy moves are important and it’s crucial to call out the good along with the bad. Zoom must do better–and quickly.

