Early in 2020 the world started going into lockdown as a response to Covid 19. Employers were keen to keep their employees at work and in touch with their teams. One result was that video conferencing really took off. Parents and grandparents, keen to keep in touch with friends and family likewise embraced modern technology and also started online video conferencing.
Everyone liked using Zoom, it is simple to operate and provides free to use options. Zoom users increased from 10 million at the end of 2019 to 200 million by the end of March 2020.
Then, in April 2020, it was reported that there were privacy issues around Zoom, one of the big name providers of video conferencing capacity. Just when its business was increasing exponentially Zoom was highlighted as having underlying compliance issues. Hackers were able to “bomb” Zoom meetings and disrupt proceedings or simply listen in and watch. There were several security issues including lack of encryption of the datastreams.
To be fair, Zoom reacted fast. In May the BBC reported an apology from the CEO of Zoom who had candidly spoken about the rapid growth of Zoom users and lamented the fact that despite working around the clock they had been unable to keep pace with demands made by the increase in users. All development work was suspended as the team concentrated on security and privacy aspects of the service. Mr Yuan said that Zoom had “fallen short of the community’s – and our own – privacy and security expectations”. “For that, I am deeply sorry,” he wrote. He announced a 90 day plan to fix the issues.
Zoom’s service is now end to end encrypted (even for free service users) and the efforts made to fix security flaws means that it is a safe platform. 2020 has been a strange year and many of us put privacy concerns below other worries and issues. After all, if millions of us are using Zoom, not all of us can be bombed at the same time, herd immunity. So, possibly aided by users’ desire to keep in touch despite privacy concerns, Zoom’s business continues to grow. Diverting development capacity into fixing security issues has helped too. But if Zoom had been set up to meet compliance standards initially it would have saved them from the near PR disaster of early 2020. Senior management dealt well with the crisis but it is preferable for senior management not to have to divert their attention away from managing the business and its future development to handle a crisis.
Reading comments from other industry players, introducing maximum video conferencing features at the expense of low levels of security was the industry model. Anyone heard of “Privacy by Design”? It is one of the features of GDPR. Why is it alien to consider user security and privacy at an early stage of development and build them into the design? The cost of non-compliance and trying to bolt on fixes at a later stage is always higher than building privacy into the model from the start.
The cost of non-compliance is not always the heavy fines and the management time needed to liaise with regulators. It can be the cost of bad PR, loss of customer trust and credibility, something that can be hard to regain. I would say that Zoom had it easy this year because we were focused on other aspects of our wellbeing apart from privacy.
Joy Higham, Data Protection Consulting