
Zoom freezes feature development to fix security and privacy issues - scalableUnicon
https://techcrunch.com/2020/04/02/zoom-freezes-feature-development-to-fix-security-and-privacy-issues/
======
_asummers
> “We did not design the product with the foresight that, in a matter of
> weeks, every person in the world would suddenly be working, studying, and
> socializing from home. We now have a much broader set of users who are
> utilizing our product in a myriad of unexpected ways, presenting us with
> challenges we did not anticipate when the platform was conceived,

I mean, sure, fine, it scaled quickly. That's not what people are mad at. We
could tolerate technical issues inherent with that growth of scale. But these
issues are fundamental and were issues with both 5 people and 5 billion and
given that some of the choices, e.g. the installer, were deliberately
designed, that statement holds no water with me.

~~~
afloatboat
Then again, how did this happen? In my scenario you have a product owner
asking for specific functionality to be added, a (group of) developers gives
their estimation of how much effort/time this will take and some time later it
gets built.

So when the product owner asked the developers to add the ability to log in
with Facebook, they looked at the technical documentation of the Facebook SDK,
but probably not much thought went into how Facebook would channel through
data even for non-facebook users. And if the technical staff did not
communicate this to the PO they might not have been technically savvy enough
to consider this a problem/threat.

I don't want to defend Zoom, I've actually also been pushing against using it
in our company. But I also don't agree with the idea that every bad thing that
comes out of Zoom was done with malicious intentions. I think it speaks more
about software development in general. Don't forget that every website with
Google Analytics, Facebook Pixel, Facebook Like buttons, Twitter embeds have
basically been doing the same thing for years.

~~~
meowface
I think it's extremely likely not a single one of their decisions was done
with malicious intentions. But that's also the case for all the other software
and systems out there riddled with security and/or privacy issues. Negligence
and ignorance is way better than maliciousness, but is still really bad when
you have so much power and reach.

~~~
SAI_Peregrinus
The thing is it's impossible to tell. They deliberately turned off library
verification security in their OSX app. They deliberately bypassed standard
installation controls in that installer. The easiest way to hide a deliberate
backdoor is to make it look like an oversight. So from a practical perspective
it's sensible to treat the decisions as malicious, even if they weren't
intended to be.

------
jrochkind1
> Daily meetings participants jumped from 10 million in December to 200
> million in March.

I am really impressed that the tool has remained stable and performant.

(This doesn't mean there's not things they got to fix regarding security and
privacy; both things can be true, I'm still impressed with the technical
quality -- AND wish/hope they use what is apparently some high-quality
engineering ability in a more pro-user way).

------
blakesterz
Closing paragraph, ouch!

"The company is far from done. Don’t forget that it claimed that calls are
end-to-end encrypted even though they’re not at all. More importantly, the
fact that Zoom is fixing issues as quickly as it can isn’t enough. Something
is wrong at Zoom — there’s a corporate culture issue that leads to all those
missteps. It’ll take much longer than 90 days."

Seems like this type of terrible and wide spread news about a companies only
product would turn around just about any corporate culture in way less than 90
days. This was some majorly bad news and it was everywhere for weeks, I'd
assume things are very different there now.

~~~
neuronic
Let's hope so. Honestly, Zoom is the preferred video conferencing software out
there when it comes to UI/UX and performance. Grid view just being one major
plus, no disconnects or issues in 4 weeks of home office so far. Meetings with
10-20 people no problemo.

If the same software could be used without the security concerns then I don't
see how competitors at their current level would remain anything but a side
note.

I have brought up Jitsi, no one cares, perceived as worthless fringe.
Enterprise client already has MS Teams licenses, again no one cares, only used
when Zoom is no option. Internally we got Slack, cannot even do 1:1 calls
without issues. We also have Pexip, it has crappy UI/UX and several
disconnects if sessions > 30mins. Hangouts is Google so enterprise clients are
often not getting into that.

~~~
STRML
You hit the nail on the head as to why people don't use Slack & Jitsi, and
barely use Hangouts: it's the call quality, stupid. Zoom drops out less, video
& audio quality is better, screen sharing works. It's as close to a "gets out
of your way" piece of videoconferencing software as has ever existed.

Competitors, take note. Get the basics right - don't concern yourself with
fluff - and customers will flock to you.

~~~
csharptwdec19
> Competitors, take note. Get the basics right - don't concern yourself with
> fluff - and customers will flock to you.

IMO they did take note and that's why we are seeing the deluge of articles
about Zoom.

~~~
neuronic
The concerns are still valid, but yes of course it's a PR battle.

------
tantalor
Security and privacy are features.

~~~
jnwatson
Sure, just not features that make any money. Those are capabilities you work
on after you've already captured market share.

------
theNJR
Just yesterday Ben Thompson suggested that Zoom:

> “ Freeze feature development and spend the next 30 days on a top-to-bottom
> review of Zoom’s approach to security and privacy, followed by an update of
> how the company is re-allocating resources based on that review.

------
formercoder
Until public equity markets start valuing security nothing will change. How do
we make that happen? Make their customers care. Bad security -> less customers
-> less value. How do we do that? Wish I knew, probably regulation, but I
wouldn’t know how to even think about writing it.

------
throwaway55554
> For the next 90 days, Zoom is enacting a feature freeze, which means that
> the company isn’t going to ship any new feature until it is done fixing the
> current feature set

Unless they were already working on it, I don't see how they'll get E2E
encryption hammered out in 90 days.

------
tbrock
I think it’s going to take more than 90 days to fix this. I’d rather they say
no new features until security and privacy are satisfactory then we’ll do
performance.

No new backgrounds!

------
KaoruAoiShiho
Does anyone know how they're handling the E2E situation? Are they removing it
from their marketing or trying to actually implement it?

~~~
kjaftaedi
e2e encryption for multiple video streams at once is not something that is
easily done.

if you told me they planned to offer this feature within a year, i would bet
money against it happening.

~~~
basch
Am I misunderstanding the product, or are the streams not being merged on the
server into a single feed?

>To be clear, in a meeting where all of the participants are using Zoom
clients, and the meeting is not being recorded, we encrypt all video, audio,
screen sharing, and chat content at the sending client, and do not decrypt it
at any point before it reaches the receiving clients.

[https://blog.zoom.us/wordpress/2020/04/01/facts-around-
zoom-...](https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-
encryption-for-meetings-webinars/)

~~~
kjaftaedi
They are merged. There is no end to end encryption unless you are talking
about the connection between you and zoom.

~~~
basch
That is not at all how they describe the product, in their correction post
clarifying their use of encryption.

The part after the caret is a quote from them.

------
gmm1990
What if they implemented e2e encryption and open sourced the client code.

