Zoom’s CEO apologizes for its many security issues as daily users balloon to 200 million

• The videoconferencing company Zoom has been criticized for the privacy and security issues on its platform.
• In a blog post on Wednesday, CEO Eric Yuan apologized for the problems and said Zoom wasn’t built to handle the number of people now using its platform.
• Yuan said Zoom now has 200 million daily paid and free users, up from 10 million at the end of December.
• He announced a series of measures to help make Zoom more secure and said he’d hold a weekly conference to update people on the company’s progress.
• Visit Business Insider’s homepage for more stories.

Zoom CEO Eric Yuan has apologized for the videoconferencing service’s many privacy and security issues, saying it was originally built to service businesses with dedicated IT departments, not millions of consumers.

Zoom has seen its usage explode since January as the coronavirus pandemic forces white-collar employees to work from home.

In a blog post published Wednesday, Yuan said usage had increased by 1,900%, with 200 million daily free and paying users in March, up from 10 million at the end of December.

But the increased usage has meant increased targeting by hackers and trolls and scrutiny from journalists.

Trolls have started “Zoom-bombing” meetings, dropping graphic content in video calls and even taunting people in Alcoholics Anonymous meetings.

Reports also emerged just this week that Zoom was not end-to-end encrypted as it claimed in its marketing materials and that the company had inadvertently leaked thousands of users’ personal emails and photos. The firm was also hit with a class-action lawsuit accusing it of handing data to Facebook.

Yuan apologized for the security issues and said that most had been fixed.

“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” he wrote.

“We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”

He added: “We recognize that we have fallen short of the community’s — and our own — privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”

Here are all the measures Yuan said Zoom is taking to make its platform safer:

1. Yuan will host a weekly webinar with security updates.

The webinars will take place at 10 a.m. PT on Wednesdays.

2. Zoom will implement a feature freeze.

Yuan said that effective immediately, the company won’t release any new features but focus on shoring up its technology and “shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.”

3. Zoom will bring in outside experts to review its security.

Yuan said Zoom would conduct a comprehensive review of its security using “third-party experts and representative users.”

4. It will prepare and release a transparency report.

Yuan did not indicate when the transparency report would be out, saying only that it would contain “information related to requests for data, records, or content.”

One worry about Zoom’s setup is that it technically could access people’s call footage and hand that over to law enforcement, because the footage is not end-to-end encrypted. Zoom has said it doesn’t access people’s call data.

5. Zoom will beef up its bug-bounty program.

Many big tech companies offer bug-bounty programs that encourage ethical hackers to find issues with the company’s security in return for cash.

Yuan did not say how much money Zoom would funnel into its program.

Zoom’s approach to bug bounties came under scrutiny last year after a researcher found a serious bug that meant malicious websites could remotely switch on the webcams on Mac computers. The researcher turned down Zoom’s offer of a payout because the company demanded he sign a nondisclosure agreement that would have stopped him from disclosing the bug more widely.

6. The firm will set up a council for chief information security officers.

A chief information security officer oversees cybersecurity within a company. Yuan said he would set up a council “with leading CISOs from across the industry” to discuss “security and privacy best practices.”

7. Zoom will start internal penetration tests.

White-box penetration testing means looking for security flaws from within an organization, with an intimate knowledge of its infrastructure — as opposed to black-box penetration, where you start looking for weaknesses with no or little prior knowledge.