Zoom has screwed up time and time again. It has screwed up so many times that the tech community is having trouble agreeing on whether these screw-ups were innocent incompetence or malicious behavior.
Eric Yuan (Zoom’s CEO) published what looks like an apology reacting to the criticism they’ve been receiving lately and acknowledging most of Zoom’s mistakes. In the post, he announced that Zoom will be stopping the development of any new features to focus on addressing current security and privacy concerns.
I found this post reassuring and sincere. Large companies rarely — if ever — admit that many mistakes in a single post. It gave me hope that they are trying to make a secure and private product — even if their incentive to do so comes from the market, and after the fact, rather than their proactive willingness to build a quality product. Today, market pressure seems to be the only way to hold corporations accountable.
The thing is, Zoom knows better than any of us what are the internal forces that are causing all these issues. They seem to be cutting corners that a lot of startups usually cut corners, but they are doing it at an unforgivable scale. Zoom has become too popular, too important to ignore these mistakes, and serious customers are starting to lose trust in the platform.
In Eric’s post, he also mentioned that they set themselves a 90-day deadline to figure it out. With the global demand for video conferencing software skyrocketing to unprecedented levels due to the global COVID-19 pandemic, Zoom needs more than ever to focus on two main things: anticipating scale and sacrificing user experience, all in favor of security and privacy.
We all know that the scale they are dealing with is unprecedented. In the month of March 2020, Zoom was handling around 200 million meeting participants a day.
During a global pandemic that made most businesses and schools — at least those who can — switch to video conferencing as their main method of communication, their video conferencing product still works really well.
It would simply not be fair to say that Zoom has not handled scale correctly. Even before the global COVID-19 pandemic, their video conferencing software was among the most reliable consumer-grade video communication platforms out there.
That said, there are also catastrophically incorrect ways to handle scale that are not necessarily linked to audio/video performance, like generating guessable meeting IDs, or not enabling meeting passwords by default.
You’ve probably read of the consequences of these design decisions. Hundreds of stories of “Zoom-bombings”, a type of prank that consists of an unknown party joining a meeting they do not belong to and saying or presenting something obscene or disturbing to the participants of the call in an act of crude vandalism.
Thankfully, this issue is easily fixed by manually password-protecting your Zoom meetings, but they could’ve made Zoom-bombing harder from the beginning. They could have enabled password protection by default on all meetings or at least used longer, harder-to-guess, alphanumeric keys as meeting IDs. At the very least they could have hired a security firm to audit their security and privacy practices; any internal team that was proactively looking for a vulnerability would have found this one.
Whether they anticipated this problem at scale or not, this kind of behavior was inevitable and Zoom should’ve made these decisions months or maybe years ago. When it comes to security and privacy, you should be able to anticipate scale, especially when designing something as crucial, yet easily-avoidable, as unique IDs.
Stop Obsessing with Reducing Friction
Not so long ago, a security researcher found a security flaw that allowed any website to start a Zoom meeting without any interaction — or request for consent — from the user. It took advantage of a Zoom “feature” that exposed a local, ever-running web server that enabled the native Zoom client to open a Zoom window on demand. All of this to save Zoom users a single click.
I get it. The state of video conferencing these days is confusing and complicated; every click matters. There are many operating systems and platforms to support, hundreds of services to integrate with, millions of businesses to connect, and many more millions of people with different setups trying to figure out how to enter these damn meetings.
Services like Microsoft Teams or Slack require you to have a common communication platform with your co-participants (i.e. they must all be on Slack or Microsoft Teams) — which usually isn’t the case. Services like Skype require you to have a Microsoft account. And services that allow you to dial into a video conferencing meeting without signing-in or having a common platform sign-in could be rare, expensive, and/or unreliable — in some cases all three.
There is a need for affordable, easy-to-use, and reliable video conferencing software and that’s what Zoom’s competitive advantage is all about.
But practicality and ease of use usually comes at a great cost: security and privacy. Skipping passwords, settling for easy-to-spell meeting IDs, and even saving a single click could mean sacrificing our natural expectations of privacy and security.
Zoom needs to start adding more security controls in place, by default, even if it meant sacrificing the user experience by adding a little friction. This aggresiveness against user friction is no longer helping build Zoom’s case, it’s deteriorating their reputation.
At this point Zoom clearly has all the demand it needs to be successful for a while, so it’s absurd to believe that a couple clicks will sacrifice any significant part of your sales. And even if it did, they wouldn’t compare to the business they are missing right now because of their… insecure or at the very least suspicious practices.
I know that everything is clear in hindsight. It’s super easy for me to sit here and point all the flaws that Zoom has, but I believe that they could’ve done better. Zoom is an excellent product, with high demand right now, that also performs really well. If they fix all this mess, they have the opportunity to position themselves among the best consumer video-conferencing products out there.