Zoom is showing how to respond to criticism the right way

Sometimes it takes years of criticism to get a company to do the right thing. Every once in a while, it can happen overnight.

Wednesday night was such a night.

After a series of investigative reports, blog posts, and Twitter threads examining Zoom’s design practices and security features, CEO Eric S. Yuan said the company would pause the development of new features and devote all of its engineering resources to fixing privacy and security issues. He also dropped an eye-popping statistic: in three months, Zoom has gone from an average of 10 million daily users to 200 million daily users. Yuan writes:

For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.

Yuan’s list of next steps is long and impressive. In addition to the feature development freeze, the company said it would conduct a “comprehensive review” with outside experts and users to understand the challenges that have come with such rapid expansion. It will improve its bug bounty program and form a council of chief information security officers. And Yuan will begin hosting a weekly webinar to update users on the company’s progress.

Notably, this is all basically exactly what Ben Thompson suggested that Zoom do.

And it’s in addition to some other steps, all announced Thursday — like fixing its bizarre MacOS installer, which made an end run around normal user permissions and involved using a misleading prompt. And removing a feature that mined users’ LinkedIn profiles without their consent. And patching a Windows vulnerability.

To the company’s critics — and I have been one myself — Zoom’s moves represent a welcome change in tone. The company has never been particularly hostile to critics, but I do think it has been at least a little slow to acknowledge their concerns.

And if Thursday was any indication, those concerns will still come. In addition to the LinkedIn issue, Brian Krebs reported that miscreants have written a program called zWarDial to guess Zoom meeting identification numbers and then join calls uninvited. You can password-protect your meeting, but many people don’t — either for convenience, or because they’re unaware of the security risk. Krebs writes:

Lo shared the output of one day’s worth of zWarDial scanning, which revealed information about nearly 2,400 upcoming or recurring Zoom meetings. That information included the link needed to join each meeting; the date and time of the meeting; the name of the meeting organizer; and any information supplied by the meeting organizer about the topic of the meeting.

The results were staggering, and revealed details about Zoom meetings scheduled by some of the world’s largest companies, including major banks, international consulting firms, ride-hailing services, government contractors, and investment ratings firms

At least one of the meetings, he writes, came from a “tech company that’s taken to social media warning people about the need to password protect Zoom meetings!”

So: there’s still some work to do. And yes, some of that work needs to be done by Zoom’s users. Anyone who is using the app to set up meetings should first read the company’s instructions for ensuring no uninvited guests show up.

But given how vital Zoom will remain in the weeks and months to come, we ought to be glad the company acted as quickly as it did.