Zoom new features will be frozen for 90-days

With great power comes great responsibility, as Unlce Ben said in the Spiderman movie to Peter Parker. Zoom just announced that they reached a new company record for daily users. Back in December Zoom had 10 million daily users, now they have 200 million.

Zoom has seen a wide variety of privacy and security issues that we have reported on Zoom leaking data to Facebook through the Facebook login button and its API. We also recently reported about Zoom’s other privacy transgressions. Just yesterday we reported on how a malicious Zoom user could steal a Windows user’s login credentials.

Today in a blog post, Zoom CEO Eric S. Yuan detailed how they never shared user numbers before, by Yuan revealed their users numbers back in December and now again announcing users numbers since then as 200 million daily active users.

“In March this year, we reached more than 200 million daily meeting participants, both free and paid”

Eric S. Yuan CEO of Zoom

Yuan explains “Our platform was built primarily for enterprise customers,” which is remarkable considering they had vulnerability with network path links that can steal a users username and password.

Yuan goes on to explain “Our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.”

“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”

How does a company like Zoom who had a staff that could support 10 million, support a daily user base of 200 million? Even without all of the security and privacy transgressions that Zoom is having supporting such a massive user base would be a huge task to undertake.

“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively.”

“We are also committed to being transparent throughout this process.”

So for the next 90-days all of Zoom’s engineering resources, even the ones that work on new features will be re-tasked to focus on safety and privacy issues. Zoom is planning what they call a “comprehensive review” with third parties to ensure it handles the new consumer issues properly.

Zoom will also be releasing a transparency report to share the number of requests from law enforcement and governments for user data. Digital rights advocacy groups have called for this in the past. Zoom will also be ‘enhancing’ its bug bounty program and consulting with other information security officers in the industry.

A detailed list of upcoming actions being undertaken by Zoom

• We’ve been offering training sessions and tutorials, as well as free interactive daily webinars to users. We have proactively sent out many of these resources to help familiarize users with Zoom.
  • Trainings and tutorial webinars
  • Live daily demos
  • Upcoming webinars
  • Video trainings
  • Webinar sign-ups for various platform trainings
    
• We are taking several steps to minimize customer support wait times when they reach out with questions.
• We’re listening to our community of users to help us evolve our approach.

We have also worked hard to actively and quickly address specific issues and questions that have been raised.

• On March 20th, we published a blog post to help users address incidents of harassment (or so-called “Zoombombing”) on our platform by clarifying the protective features that can help prevent this, such as waiting rooms, passwords, muting controls, and limiting screen sharing. (We’ve also changed the name and content of that blog post, which originally referred to uninvited participants as “party crashers.” Given the more serious and hateful types of attacks that have since emerged, that terminology clearly doesn’t suffice. We absolutely condemn these types of attacks and deeply feel for anyone whose meeting has been interrupted in this way.)  
• On March 27th, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users. 
• On March 29th, we updated our privacy policy to be more clear and transparent around what data we collect and how it is used – explicitly clarifying that we do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward.
• For education users we:
  • Rolled out a guide for administrators on setting up a virtual classroom. 
  • Set up a guide on how to better secure their virtual classrooms. 
  • Set up a dedicated K-12 privacy policy.
  • Changed the settings for education users enrolled in our K-12 program so virtual waiting rooms are on by default.
  • Changed the settings for education users enrolled in our K-12 program so that teachers by default are the only ones who can share content in class.
• On April 1, we:
  • Published a blog to clarify the facts around encryption on our platform – acknowledging and apologizing for the confusion.
  • Removed the attendee attention tracker feature.
  • Released fixes for both Mac-related issues raised by Patrick Wardle.
  • Released a fix for the UNC link issue.
  • Removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature.

What we’re going to do 

Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes: 

• Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
• Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
• Preparing a transparency report that details information related to requests for data, records, or content.
• Enhancing our current bug bounty program.
• Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
• Engaging a series of simultaneous white box penetration tests to further identify and address issues.
• Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community.

What can you do to protect yourself?

First you will have to decide for yourself or for your organization if you can wait for Zoom to plug this holes in their security protocols.

Next, if you can’t wait, then it may be time to seek out alternatives. More on this subject incoming…

By Platform De.Central | Source: Motherboard