Covid-19 is ravaging the economy. But some companies seem to be immune from its effects. Some, even, seem to be thriving. Zoom belongs to this latter, lucky category. This Silicon Valley firm, with its videoconferencing app, has seen its share price rise by about 80 per cent since the beginning of the year. As Tortoise’s own C-19 Tracker shows, the average user now visits its website about four times a day. But more than the numbers and the graphics, it’s Zoom’s psychic penetration that really matters: the lockdown has made Zoom users of us all.
But Zoom’s recent success has not come without costs – for Zoom itself and for its founder, Eric Yuan.
Yuan’s origin story is far removed from those of most other West Coast tech titans. He was born and raised in Shandong Province, China, before making his way to Silicon Valley in 1997, not to found some trendy new startup but to join a company called WebEx, which developed an online meeting platform. WebEx’s software, which was acquired by Cisco in 2007, was dull and dour. Its customers were boxy-suited businessmen.
Yuan kept climbing through the company, accelerating at the same rate as his English-language skills, which he learned from his colleagues at Cisco. But he left the company in 2011 as their head of engineering when bosses shot down a plan to develop a non-business, customer-friendly conference app for smartphones. He wanted a new challenge. But it wasn’t much different from his old one.
Yuan saw an opportunity for a new video conferencing service, though many others were confused by his faith in the idea. He had left Cisco, which offered the same service; Google was starting to carve out a niche; and Skype had 145 million active users in 2011. Doing the same thing seemed a bad business move, to everyone except a former colleague at Cisco, Dan Scheinman, who invested $250,000 in the company after a demonstration at a Palo Alto café.
The entrepreneur spent the best part of two years developing the product before releasing it publicly in 2013. It grew by word of mouth, and because it was free and could be used easily on smartphones. By 2015, when the company raised $30 million in venture capital funding, it had 65,000 companies using its software. It launched its initial public offering on 18 April 2019, and ended the year with 10 million daily users.
But it wasn’t until the spread of the coronavirus across the globe that Zoom broke out of its core user base and into the collective consciousness. The ability to bring 100 people onto a conference call for up to 40 minutes at a time for free was an appealing offer for families, companies and institutions worldwide, all scrambling to figure out how to stay in touch. Zoom’s business has boomed: today, 200 million people log on each day, including 90,000 schools. The UK Cabinet uses it for its daily meetings, much to the horror of security-minded IT experts.
“It seems to me, that despite assertions by the company, data protection, privacy and security were not built in by design from the outset, or even in response to the GDPR, for example,” says Pat Walshe, a data protection expert.
And this is where the problems begin. Zoom has claimed that its calls are encrypted end-to-end, preventing them from being easily accessed by hackers. But journalists at The Intercept dug deeper, and got Zoom to admit that wasn’t the case.
Privacy experts then began combing through the T&Cs that people accept when using Zoom – and what they found was a parade of horrors. The app leaked the email addresses of many users thanks to a misfiring feature; it siphoned off user data to Facebook without declaring it in the app’s privacy policy; its terms for using the app were overly broad and, until they were changed in late March, allowed the app to trawl through transcripts of anything said on a call and any documents shared on a call to theoretically share with third parties; call hosts could monitor when participants weren’t paying attention; and the company was forced to apologise after some call data was “mistakenly” routed through China, where the government is widely believed to eavesdrop on internet traffic.
And the list continues. Public service announcements have been circulating on social media, warning users that messages they thought were secret, sent in one-to-one private messaging adjacent to any meetings, weren’t actually private. Teenage hackers, suddenly bored and with nothing better to do, have taken to dropping in on Zoom calls by guessing or finding meeting numbers and causing trouble. The practice has been dubbed “Zoombombing”.
These issues have attracted the attention of regulators across the world. New York’s attorney general wrote a letter to the company asking how it was tackling the issues, and other states are undertaking their own investigations. European and British data protection regulators have said they are considering concerns that have been raised.
“Our platform was built primarily for enterprise customers – large institutions with full IT support,” said Yuan in a blog post. “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.”
That’s something that Lilian Edwards of Newcastle University’s law school recognises. “It shows the very clear cultural and indeed, in most countries, legal difference between expectations around workplace surveillance safeguards and other scenarios,” she says. “Zoom is clearly designed for the former and for office workplace norms. We’re going through a very fast phase of bringing [Zoom] up to citizen and consumer standards of privacy and autonomy.” Edwards believes that, as online working becomes the norm, there needs to be better establishment of workplace privacy expectations.
Yuan also admitted that Zoom didn’t expect to face the scrutiny of security researchers and journalists. The CEO has committed to a freeze on all new features, and said the company’s engineering staff will be moved to plugging all holes found. They’re conducting a third-party security review, preparing a transparency report, and increasing bounties for socially responsible hackers to report any issues they find. Yuan is also hosting a weekly webinar every Wednesday to provide updates about Zoom’s security, where he also answers questions. “We recognise that we have fallen short of the community’s – and our own – privacy and security expectations,” he wrote in an open letter. “For that, I am deeply sorry, and I want to share what we are doing about it.”
“It’s good to see Zoom’s CEO admit to multiple failings, and commit to fixing them,” says Walshe – but he warns that tech CEOs are well-known for paying lip service to problems and doing little to solve them.
Yuan’s surprise at finding these issues existed in his software is unusual. In filings with the US Securities and Exchange Commission made in advance of its initial public offering, Zoom admitted that “Concerns regarding privacy, data protection and information security may cause some of our customers and hosts to stop using our solutions and fail to renew their subscriptions”. They also wrote that “Our actual or perceived failure to comply with privacy, data protection and information security laws, regulations, and obligations could harm our business”.
Yet while the negative headlines have provided a reality check, they haven’t been too damaging for Zoom’s bottom line. From its peak share price of $159.56 in March, the company is now trading at a still-hefty $125 a share. And millions are still using the service in the absence of a similarly-powered alternative – including Britain’s Cabinet. In a world of many coronavirus losers, Zoom and Eric Yuan remain winners.
On 7 April 2020, at 6.30pm BST, Tortoise is holding a ThinkIn to ask: Just how powerful is Zoom now? You can sign up to join the discussion here.
All photographs Getty Images