Zoom CEO acknowledges security 'missteps' in live-stream

Zoom CEO Eric Yuan speaks in a live-streamed broadcast about the app's security.

The CEO of Zoom Video Technologies acknowledged in a live-streamed broadcast on Wednesday that the company had made "missteps" in handling a surge of new users staying home during the coronavirus pandemic, leading to problems such as routing of traffic through China and "Zoombombing" when uninvited guests crash meetings.

Zoom's popular video conferencing app was built primarily for enterprise and business customers, but people have been using it in unexpected ways in the past few weeks including live-streamed classes, virtual happy hours and even online weddings, Zoom founder and chief executive Eric Yuan said in the live broadcast on YouTube.

"Clearly we have a lot of work to do to ensure the security of all these new consumer use cases," Yuan said. "But what I can promise you is that we take these issues very, very seriously. We're looking into each and every one of them. If we find an issue, we'll acknowledge it and we'll fix it."

Nonetheless, the Chinese-born American CEO maintained that the app is safe to use: "I can tell you - Zoom is absolutely safe compared to our peers," he said. "We have never sold user data in the past and we have no intention to do it."

San Jose-based Zoom has beat Microsoft's Skype and Google Hangouts to become the work-from-home app of choice for the tens of millions of users worldwide amid the pandemic, but has recently faced a backlash over security and privacy issues including reports of Zoombombing, with internet pranksters hijacking virtual meetings to do silly things, post racist comments or sexually harass attendees.

Taiwan and Germany have already put restrictions on Zoom's use, while companies such as Elon Musk's SpaceX and Alphabet's Google have banned the use of the app among their employees over security concerns.

The company also faces a class-action lawsuit.

In response, Zoom has hired former Facebook security chief Alex Stamos as an adviser and implemented a 90-day freeze on new features to focus solely on addressing concerns with its current products.

It is also preparing a transparency report and will conduct a full security review with third-party experts and researchers, said Yuan on Wednesday.

In the broadcast, Yuan also specifically addressed a Citizen Lab report last week about meeting data being routed through servers in China, saying he believed the impact was "very minor".

Last Friday, the same day the Citizen Lab report was published, Yuan published a blog post explaining how the issue occurred.

Zoom clients normally attempt to connect to a series of primary data centres in or near a user's region, he wrote, but if multiple connection attempts fail due to network congestion or other issues, they are rerouted to two secondary data centres listed as potential backup bridges to the Zoom platform.

Read Also
'Zoombombers' want to troll your online meetings. Here's how to stop them
'Zoombombers' want to troll your online meetings. Here's how to stop them

Typically, Zoom's two Chinese data centres are excluded from the secondary options for users outside the country, but due to a mistake they were whitelisted and allowed non-Chinese clients to route traffic through them when some users' primary servers were unavailable, Yuan said in the post.

"To be clear, this should have never happened and this issue was completely addressed last Friday," Yuan said on Wednesday in the live-stream. "The China server should never have been an option for non-China participants, because that's a configuration and design flaw."

Yuan also said he believed that the impact on users through this issue was small: among over 233 million participants worldwide that logged onto Zoom meetings on April 1, for example, only 37 participants - all of whom would normally have been connected through US data centres - were mistakenly routed through servers in China.

The company has since removed all China-based servers from its server infrastructure for non-local users, Yuan said. "I guarantee you this will never happen again," he added.

For the latest updates on the coronavirus, visit here.

This article was first published in South China Morning Post.