IE 11 is not supported. For an optimal experience visit our site on another browser.

'Every day is a crisis': Zoom boosts its security as scrutiny grows

“We’ve got to double down on privacy, double down on security," Zoom CEO Eric Yuan said.
Image: A student takes classes online with his companions using the Zoom APP at home
A student takes online classes at home using Zoom during the coronavirus outbreak in El Masnou, north of Barcelona, Spain on April 2, 2020.Albert Gea / Reuters

Every tech company’s dream is to become a verb. Think "Let me Google that," or "I’ll just Uber over."

But Zoom, the videoconferencing company that was until recently best known within the corporate world, has inspired a verb with decidedly more negative connotations: "Zoombombing," in which the uninvited crash Zoom calls to harass users.

The Silicon Valley firm is now a part of the daily lives of millions of Americans as schools, companies and governments have embraced it amid coronavirus lockdowns. Zoom says that as of last week 200 million people now use the platform every day. That’s up from 10 million daily users before the pandemic.

But like many other tech platforms that were built on ease of use, Zoom is finding that life in the public eye can be challenging — particularly now that zoombombing has emerged as a new way for internet trolls to launch vicious attacks. That has suddenly made Zoom the focus of pranksters and racists, as well as hackers, attorneys general and cybersecurity experts.

"You know, lesson learned," Zoom CEO Eric Yuan said in an interview through his company's videoconferencing software. "We’ve got to double down on privacy, double down on security."

Full coverage of the coronavirus outbreak

The company has already taken some action. On Saturday, Zoom said it would enable its "Waiting Room feature" as a default for all users (it had previously been the default for only paid users). It will also require additional password settings on all accounts in an effort to bolster privacy and security.

The practice of hijacking a videoconference had become so pervasive that the FBI’s Boston field office issued a formal warning late last month. Last Friday, federal prosecutors in Michigan warned that such actions could be considered crimes. That same day, Sen. Sherrod Brown, D-Ohio, sent a letter to the Federal Trade Commission calling for an investigation into the company, accusing it of engaging in "deceptive practices." On Tuesday, Sen. Richard Blumenthal, D-Conn., echoed Brown’s call to the regulatory agency.

The company currently faces three lawsuits in federal court — all filed within the last week — over privacy and security concerns.

Zoom's problems also go beyond harassment. The Washington Post reported on April 3 that Zoom had even allowed thousands of recordings of video calls — many containing intimate details including nudity and personal financial information — to be easily discovered online.

Similarly, Zoom has been pilloried for describing its service until recently as "end-to-end encrypted," — a technical term with a specific meaning. The company later admitted that the way it had been using the term was inaccurate, and said that it "never intended to deceive any of our customers."

Zoom now says it’s cooperating with all legal inquiries and lawsuits. Yuan said he blames the recent spate of problems on his company transforming from a business tool to a widely adopted mass market communication platform virtually overnight.

"Nobody, you know, expected this," Yuan said. "Our business was beautiful, serving the enterprise and business customers who normally have an IT team to help you to configure the security settings."

Looking back, Yuan wishes he would have implemented more obvious, user-friendly security measures the moment he first made Zoom free to K-12 schools on March 13. "I think on Day One we should have done that," he said.

The damage may already be done. New York City public schools are now beginning to "transition away" from Zoom, in favor of a competing product, Microsoft Teams and similar products from Google. Other districts in different parts of the country including Clark County, Nevada, have reportedly taken comparable measures.

Yuan was quick to defend his company as the problems piled up. He said Zoom is now talking directly with New York City public schools to create a more secure approach by developing what Yuan calls "a master account to manage every subaccount to make sure every school will have security settings."

"Because we moved too fast and also added too many servers, there were also missteps," Yuan said. "But we take it very, very seriously. We do all we can to quickly fix that problem."

Changing a product this quickly is not easy. When asked how the engineers are doing, Yuan said, "Every day is a crisis."

Download the NBC News app for full coverage of the coronavirus outbreak

Yuan said he feels like Zoom has gone from playing on a high school varsity basketball team to suddenly playing in the NBA in just a week.

"For the first week, you got beaten so hard," he said. "But guess what? Move forward. Learn the mistakes."

Yuan began working in video conferencing in the late 1990s as an engineer for Webex, a videoconferencing company that was acquired by Cisco in 2007.

The Chinese-born engineer rose to become Cisco’s corporate vice president of engineering, but found himself increasingly frustrated with Webex, and sought to — as he told an interviewer in 2017 — "make customers happy." So Yuan built a competitor: Zoom.

Since then, Yuan and Zoom have become one of the biggest success stories in Silicon Valley while also remaining out of the spotlight. The company's stock started trading publicly in April 2019 and rose quickly, outperforming better-known consumer tech companies like Lyft and Pinterest, which also went public around that time.

Zoom's stock jumped sharply in March as coronavirus lockdowns pushed millions of people to videoconferencing, though it has ticked down in recent days.

Security questions dogged Zoom well before the coronavirus pandemic. In July 2019, researchers detailed a vulnerability showing how an attacker could set up a malicious call designed to take over a computer’s webcam. Zoom quickly patched the problem.

As Zoom has faltered in these past few weeks, Cisco's Webex video conferencing software has started to regain some ground. Webex has also not hesitated to take indirect or even direct potshots at Zoom and its approach.

Abhay Kulkarni, a Webex vice president, recently wrote a blog post pointedly titled: "Collaboration Without Compromise: A Security-First Approach to Remote Working," writing that security concerns in Webex are never a "trade-off for convenience or speed."

The sudden and unrelenting pressure of serving 200 million daily users has pushed Zoom to ramp up hiring in engineering, sales and customer support. Yuan said he doesn’t have time to check his own email.

Yuan said that Zoom remains focused on its business customers despite the sudden influx of users.

"I want it to go back to serving our business enterprise customers. And we know how to do that," he said, "if we have a choice."

At the moment, Yuan said Zoom is focused on getting through the next few months. As for what’s next, he says it’s too early to tell.

"At least we know one thing for sure: For the next three months, we double down, triple down on privacy and security," he said.

But could there be a future for Zoom as a consumer product to rival giants such as Facebook?

Yuan looked tired just thinking about it.

"I have no idea for now," he said.