Over the last month, the Zoom videoconferencing service has emerged as the communication lifeline of the coronavirus pandemic. But the convenience fueling Zoom’s explosive popularity has come at a price.
Originally a service meant for businesses, Zoom was designed to make it easy for company employees, sales representatives and clients to hop on meetings. When consumers flocked to the video platform for school and socializing, however, those conveniences also made it easy to hijack videoconferences and harass participants in online attacks known as Zoombombing.
Now the company is scrambling to deal with privacy and security issues that keep popping up. On Wednesday morning, Zoom announced that it had formed a council of chief information security officers from other companies to share ideas on best practices. The company also announced that it had hired Alex Stamos, the former chief security officer of Facebook, as an outside adviser.
Eric S. Yuan, the chief executive of Zoom Video Communications, the California company behind the video platform, said in an interview Tuesday evening that his greatest regret was not recognizing the possibility that one day Zoom might be used not just by digitally savvy businesses but also by tech neophytes.
“We were focusing on business enterprise customers,” Mr. Yuan said. “However, we should have thought about ‘What if some end user started using Zoom’” for nonbusiness events, “maybe for family gatherings, for online weddings.” He added: “The risks, the misuse, we never thought about that.”
Mr. Yuan said Zoom never felt the need until now to rigorously examine the platform’s privacy and security implications for consumers. “If not for this crisis,” he said, “I think we would have never thought about this.”
In addition to the Zoombombing episodes, Zoom has reacted with surprise to press reports that the company’s iPhone app leaked user data to Facebook as well as to criticism that the platform had allowed certain users to covertly access the LinkedIn profile data of other participants.
Zoom’s trajectory from mass media darling to privacy pariah may seem like a familiar narrative in a tech industry with a build-it-first, beg-forgiveness-later culture. But the coronavirus has accelerated the Silicon Valley story arc at an incredible pace.
The coronavirus-fed boom has essentially forced Zoom to publicly acknowledge and address problems on a vastly shorter timetable than older companies like Facebook. Now attorneys general in several states are scrutinizing Zoom’s privacy and security practices even as the company has publicly committed to improving them.
Mr. Yuan said the company had not anticipated the exponential growth in new users during the coronavirus pandemic or the unrelenting public scrutiny that would come with it.
Four months ago, Zoom was a niche business tool with 10 million daily users, many of them people working in offices or at home. Today, it has emerged as a fundamental online utility, with 200 million daily users — including family members gathering to celebrate holidays, teachers leading online classes for students and members of Alcoholics Anonymous holding meetings.
Last week, Zoom said it was suspending work on features for the next 90 days to devote all of its engineering resources to shoring up its security and privacy practices.
Security researchers also discovered that, despite its marketing promises, Zoom encrypted users’ communications but not with end-to-end encryption — a system that prevents third parties from accessing private communications. Mr. Yuan noted that end-to-end encryption was significantly more difficult with many users communicating simultaneously instead of something like Apple’s FaceTime, which is typically used by a handful of people at the same time.
Last week, the office of New York’s attorney general sent a letter to Mr. Yuan, questioning whether Zoom’s current security practices were capable of handling “the surge in both volume and sensitivity of data being passed” through its network.
Several days later, the Federal Bureau of Investigation issued a warning saying that it had received multiple reports of Zoombombing, including incidents where school meetings were hijacked by strangers posting pornography and using threatening language.
Zoom quickly announced that it was removing the Facebook software from its iPhone app and eliminating the LinkedIn data-mining feature on its platform. To hinder Zoombombing, the company just introduced default settings that will require K to 12 schools to individually admit participants to videoconferences from virtual waiting rooms.
Mr. Yuan said Zoom was now making user privacy and security its top priority and was shutting down enterprise features that could present risks to consumers. “This is a turning point. We have to raise the bar,” he said. “Whenever there’s a conflict, privacy first.”
Mr. Yuan, a former executive at Cisco Systems, founded Zoom in 2011. He has often described the company’s mission as “making video communications frictionless.”
Before the pandemic, Mr. Yuan said, Zoom used a number of security measures to identify vulnerabilities, and invited hackers to probe its service for payment awards, through a bug bounty.
It also developed security and privacy features that could have prevented Zoombombing. But Zoom left it to business customers, which included some of the biggest names in the cybersecurity industry, to decide how they wanted to configure privacy and security settings.
Technologists at those companies vetted Zoom’s code for security vulnerabilities, decided whether their own employees should be required to use passwords to join meetings, and how much of their data should be exposed to colleagues and managers.
Mr. Yuan also said the company created certain services, like the features enabling Zoom users to log in from Facebook or access the LinkedIn profiles of other participants, to accommodate requests from enterprise customers. But outsourcing such decisions to business customers created blind spots for Zoom.
Some cybersecurity and privacy experts said the time for Zoom to reassess its privacy and security was last year, after Jonathan Leitschuh, a cybersecurity researcher, discovered a flaw that attackers could use to activate a Zoom user’s webcam without their permission. Even when users tried to remove the app from their computers, researchers discovered Zoom would secretly reinstall itself.
In its letter last week to Mr. Yuan, the New York attorney general’s office noted that Zoom did not address the problem until after the Electronic Privacy Information Center, a public interest research center, filed a complaint about the company with the Federal Trade Commission last year.
Mr. Yuan admitted that his drive to open access to Zoom during the pandemic sometimes moved faster than the platform’s privacy protections.
Early in the crisis, for instance, a few U.S. schools that foresaw they would need to quickly move classes online contacted him for help, he said, and he personally set up free accounts for them. Soon after, Mr. Yuan made basic Zoom accounts free for schools.
But the company did not have experience working with K-12 school districts, he said, and was not set up for federal privacy laws requiring special protections for students’ and children’s information, noting that the company has had to update its privacy policy for schools several times.
Now, however, Zoom has gone even further and signed an extensive privacy compliance agreement with the Board of Cooperative Educational Services for school districts in Chautauqua County, southern Erie County, and part of Cattaraugus County, in New York.
The landmark agreement, which Zoom signed on March 31, meets stringent new state privacy rules for schools and could serve as a model for other school districts. Among other things, Zoom agreed to delete any data it had collected or stored about the districts’ students, teachers or principals when the contract expires later this year.
Mr. Yuan said his three children were now home doing distance learning over Zoom and he recently asked his daughter, an eighth-grader, if her teacher used certain security features meant to keep out troublemakers. He was relieved when she said “yes.”