Zoom freezes feature development to fix security and privacy issues

Zoom has been widely criticized over the past couple of weeks for terrible security, a poorly designed screensharing feature, misleading dark patterns, fake end-to-end-encryption claims and an incomplete privacy policy. Despite that, the video conferencing service has attracted a ton of new users thanks to the coronavirus lockdowns around the world — the company reached 200 million daily active users last month.

Zoom, an enterprise product designed for boring corporate meetings, has become a mainstream product with all the risks that it involves.

That’s why the company’s CEO Eric S. Yuan has written a lengthy blog post to address some of the concerns around Zoom. He starts by sharing some metrics. Zoom has been used by 90,000 schools around 20 countries. Daily meetings participants jumped from 10 million in December to 200 million in March.

But some companies are starting to reconsider using Zoom for video conferences. For instance, SpaceX, Elon Musk’s rocket company, has banned its employees from using the service.

For the next 90 days, Zoom is enacting a feature freeze, which means that the company isn’t going to ship any new feature until it is done fixing the current feature set. Zoom will also work with third-party experts and prepare a transparency report.

“For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus,” Yuan writes. “However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”

As expected, Yuan says that mainstream adoption has led to unforeseen issues. “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” he writes.

In addition to keeping up with the massive influx of customer support requests, Zoom has already shipped a few updates to solve some issues. The company released a new version of its iOS app to remove Facebook’s SDK as the company’s privacy policy never said that you consent to sharing data with Facebook. The company updated its privacy policy as well.

Zoom removed the attendee attention tracker feature, a controversial feature that lets hosts see if the Zoom window is currently in focus. The company has also shipped security updates after Patrick Wardle uncovered vulnerabilities.

Zoom wrote a dedicated K-12 privacy policy and changed some default settings for schools (waiting rooms are on by default, only teachers can share content, etc.).

The company is far from done. Don’t forget that it claimed that calls are end-to-end encrypted even though they’re not at all. More importantly, the fact that Zoom is fixing issues as quickly as it can isn’t enough. Something is wrong at Zoom — there’s a corporate culture issue that leads to all those missteps. It’ll take much longer than 90 days.