Zoom: We've delivered on all of our security and privacy promises, apart from one

CEO Eric Yuan said the company had been working to improve safety, privacy and security, but has pushed back the date for its transparency report.

Zoom 5.0: How to better secure meetings with the latest features

The meteoric rise of videoconferencing platform Zoom during the global lockdowns was accompanied by criticism of its cybersecurity standards.

As more remote workers turned to Zoom for business meetings, virtual get-togethers and other forms of socially distanced communication, it soon became apparent that security –thanks to headaches such as a wave of ' Zoom-bombing ' – was an area that needed more work. As a result, Zoom CEO Eric Yuan launched a 90-day programme that pledged to address key privacy and security concerns.

SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)  

On 1 July, Yuan published a promised update on the programme that outlines the progress Zoom has made so far on meeting its commitments, revealing that all but one has been met. This includes its 90-day feature freeze on all new features not relating to privacy and security, during which time Yuan said the company pushed 100 new security features to the platform and introduced Zoom 5.0, which introduced AES 256 GCM encryption, new reporting capabilities and passwords and waiting rooms for meetings as default. 

The company also plans to add end-to-end encryption for all users, after previously suggesting that  only certain customers would qualify for the feature.

In a blog post, Yuan described the struggle his team had faced in coping with the "tremendous influx of new and different types of users" that piled onto the platform at the start of the year.

"The sudden and increased demand on our systems was unlike anything most companies have ever experienced," said Yuan. "As March came to a close, we realized that our singular mission to deliver frictionless video communications to hundreds of millions of daily meeting participants needed to include an equivalent focus on security and privacy – areas where we needed to do more."

Zoom made a total of seven commitments under its 90-day programme, which Yuan announced on 1 April 2020. As well as the feature freeze, pledges included launching a CISO council to maintain oversight on security and privacy issues; enhancing Zoom's bug bounty programme; conducting penetration tests and conducting a review of its service with third-party experts and users.

The company launched its CISO council on 8 April. According to Yuan, the 36-member team has met four times over the past three months to discuss matters around data and security. It has also been involved in Zoom's engagement with third-party expertise "to review and make enhancements to our products, practices, and policies," said Yuan.

Zoom has also extended its bug bounty programme and engaged with IT security groups for penetration tests, Yuan said. The company has developed a central repository for vulnerability reports and has made a number of hires in application security, including the appointment of a Head of Vulnerability and Bug Bounty. Meanwhile, cybersecurity firms have carried out penetration tests across the entire Zoom platform, including its data centers and cloud configuration, internal and external networks and its mobile and desktop apps, Yuan said.

Other commitments made by Zoom's CEO included hosting weekly security and privacy webinars for its community – of which 13 have been held to date – and to prepare a transparency report that details information related to requests for data, records, or content.

SEE: The new normal: What work will look like post-pandemic (TechRepublic Premium)  

The latter commitment is where Zoom has come up short: Yuan claimed that the company had made "significant progress defining the framework and approach for a transparency report that details information related to requests Zoom receives for data, records, or content," but revealed that the report will now be published later in 2020 and will include fiscal Q2 data.

Zoom had previously promised to deliver the report on 30 June; the company has now updated a previous post where this date was given and removed it to reflect the new deadline of "later this year".

It's evident that Zoom has been working hard to address its shortfalls and re-earn the trust of both users and investors. However, Yuan acknowledged that there was still work to be done and that its 90-day programme was "just a first step" in an ongoing process.

Yuan said: "Going forward, we have put mechanisms in place to make sure that security and privacy remain a priority in each phase of our product and feature development."

More on Zoom and security