Zoom brings in former Facebook security head amid lawsuits, investigations

0 2

Security and privacy protip: Don't do your videoconference in the middle of an airport.

Enlarge / Security and privacy protip: Don’t do your videoconference in the middle of an airport.

Zoom’s meteoric rise to prominence as the go-to teleconference tool of the COVID-19 pandemic has shined a spotlight on every single design flaw, privacy issue, or vulnerability the platform has. Now, the company is scrambling to react to problems while investigations and lawsuits mount.

The company is already facing lawsuits from consumers, but now investors have joined the fray. A shareholder filed a class-action suit (PDF) yesterday in federal court in California, alleging that Zoom violated securities law by covering up known problems with its product.

Publicly traded businesses are required by federal law to disclose issues or events that could materially affect their stock price so that investors can make informed decisions. Basically any time you hear of some catastrophe at a company—for example, Equifax’s disastrous 2017 data breach—there’s a shareholder suit right after from investors who are angry that they received no warning their shares were about to plummet in value.

The suit against Zoom alleges that the company made “false and misleading statements” to investors and should have known what was going to hit the fan eventually. “The truth about the deficiencies in Zoom’s software encryption began to come to light as early as July 2019,” the complaint reads. “However, due in large part to the company’s obfuscation, it was not until the COVID-19 pandemic in March and April of 2020, with businesses and other organizations increasingly relying on Zoom… that the truth was more fully laid bare in a series of corrective disclosures.”

Those “corrective” actions followed media reports highlighting, among other things, holes in Zoom’s privacy policy, the sharing of user data with Facebook, the mining and sharing of users’ LinkedIn data, and a feature that unintentionally exposed individuals’ contact information to complete strangers. Zoom also claimed to have end-to-end encryption on its data, only for that claim to be proven false, and it had vulnerabilities that could allow attackers to steal users’ Windows credentials with no warning.

Above and beyond all that, however, Zoom drew the most negative attention for default settings that allowed for rampant “zoombombing,” resulting in countless cases of meetings—particularly classes of schoolchildren—being interrupted by harassment. In some cases, the intruders spewed racist or neo-Nazi invective, while in other cases they exposed themselves or displayed pornographic material.

Many states, counties, and cities, including New York, have put the kibosh on educators using Zoom for classroom purposes, to the dismay of many parents and teachers who find the platform easier to use than rivals like Microsoft Teams. (Not a day in two weeks has gone by without someone starting a new thread to complain about the latter in the local PTA group I am a member of.)

Zoom has now changed many of those defaults (and you can check your own settings right now to prevent it happening to your next online meeting). But that, too, is just part of the everyday crisis mode Zoom now operates in, CEO Eric Yuan said in an interview with NBC News.

“You know, lesson learned,” Yuan told NBC. “We’ve got to double down on privacy, double down on security.”

To that end, Alex Stamos, formerly the chief security officer at Facebook, said today he’s now doing consulting work with the company. “I’m certain that the real challenge, one faced by every company trying to provide for the diverse needs of millions seeking low-friction collaboration, is how to empower one’s customers without empowering those who wish to abuse them,” Stamos wrote in a blog post. “I encourage the entire industry to use this moment to reflect on their own security practices and have honest conversations about things we could all be doing better.”

Leave A Reply

Your email address will not be published.