from Hacker News

A Message to Our Users

by casca on 4/2/20, 6:29 AM with 256 comments

by Msurrow on 4/2/20, 9:52 AM
I think thats fair. All of us who have written and deployed software know that a change in the onboarding/new users rate like this would be a punch in the face that would knock any SW team on its ass. And it would take anyone a few days to get back up.
The important part is the leaderships reaction to the situation. Compare to something like Boeing. Zoom acknowledges facts, takes responsibilty and starts fixing things. Boeings reaction to its product killing hundreds of people was “Lol user error. RTFM”. That is (apparently) what acceptable leadership can look like..
Any sw product has issues. The question is what the company does about it
by crazygringo on 4/2/20, 3:06 PM
Key section:
> Over the next 90 days, we are committed to... Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
I see a lot of comments here claiming that this blog post is bland corporate apologia, doesn't take responsibility, doesn't change anything.
But this seems like a pretty legit turnaround. Overall, they seem to be addressing pretty much everything that's been brought up. They removed the Facebook SDK, they removed attention tracking, they've clarified their encryption policies in detail.
One commenter here is asking for more, for punishment, another demands their security team be fired. And I mean, if someone wants to try to sue Zoom for misusing the term E2EE then go for it, but obviously Zoom can't "punish itself" in a blog post, and pinning it on a few bad engineers feels like a scapegoat.
This seems to be positive steps, folks. Genuinely not sure what more you could be asking for from a regular for-profit business.
by gchokov on 4/2/20, 9:36 AM
I am tired of reading such statements. They are like a playbook when things get wrong.
Zoom had privacy and user invading issues years back. They didn't learn their lesson back then with the MacOS installers, and continued to assure us they are taking the "right steps".
My company have stopped using Zoom and we'll never go back.
by ken on 4/2/20, 1:50 PM
Zoom has had major security issues for years, and they've always brushed them off as not a big deal. This isn't an isolated incident.
If their position is now that the Zoom software was designed for corporate users, e.g., that you're expected to only run it on your own VPN where you can guarantee there's no malicious network traffic, then it should have "NOT FOR CONSUMER USE" plastered all over it.
To me, this reads exactly like "Lol user error", except there's no "M" to "RTF" that ever said, for example, that its local web server stayed running after uninstallation and could take control of your camera, or that "E2E" in the Zoom docs doesn't mean the same thing as it means to the rest of the industry.
There's no responsibility being taken here. Taking responsibility would be "We fired all our 'security' people who told us we had best-of-breed security, and hired some actual security experts to re-architect our system to provide actual security for our users." What they did here is indistinguishable from "We're sorry we got caught!" except in verbosity.
by tobr on 4/2/20, 1:32 PM
I struggle to understand why the sudden influx of new users would affect these security problems in any way. OK, more people are affected, but the problems are surely the same regardless of how many users they have.
To me it just comes across as an attempt to deliberately confuse the issue.
by Quanttek on 4/2/20, 2:32 PM
> "On March 29th, we updated our privacy policy to be more clear and transparent around what data we collect and how it is used – explicitly clarifying that we do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward."
That is such a dishonest way of framing it. No one was really concerned whether they would "sell" data. The issue was with the exorbitant amount of data they collect and its analysis for commercial purposes, be it ads (which doesn't involve selling data), targeted pricing or providing access to corporate admins.
by pjfunk on 4/2/20, 11:58 AM
"We didn't design for for scaling overnight" is different from "we did care for security until we got caught"
However small or big, a company shouldn't be selling data without user consent, shouldn't use terms end-to-end encryption while make otherwise claims.
This behaviour should be punishable
by seemslegit on 4/2/20, 10:56 AM
This is "we are sorry for getting caught" changes-nothing nonpology.
The use of "end to end encryption" designation was no confusion, it was deception - it is implausible that this could have been done accidentally or as a result of a misunderstanding without engineers warning managers that this is not how zoom works and being overridden in their objections to communicate it as such.
They also double down on data collection. Disclosure does not establish consent and "we do not sell data" is a red herring because data can still be shared with third parties for business purposes against the interests of the users without being overtly sold (not to mention with governments under various "compelled cooperation" arrangements) and the entire policy can be subject to retroactive change without recourse.
The fact that they were targeting organizations with IT support is irrelevant except maybe to discredit the people within those organizations who greenlighted Zoom.
The saddest part is that it is unlikely any of the competing corporate offers are any better in any of those respect, but then they are not being actively pumped these days.
by shadowgovt on 4/2/20, 2:17 PM
Zoom seems to be another example of the repeating pattern we seem to see from web service software: if the product has good UX, people don't care about the technical issues that aren't in their faces. At least, they don't care in any tangible way like "They stop using the product."
Remember when Twitter was incredibly unstable? That was fine when it had only ten thousand users. They had to fix it fast when it had a million. But the thing is: that seems to be viable software practice (rush on features, forget about the robustness and the corner cases) because it keeps working.
by Nullabillity on 4/2/20, 9:54 AM
"Oh no, it used to be alright that we are shady as hell, because, you see, we never thought anyone would actually use our service!"
Give me a break..
by tyingq on 4/2/20, 11:19 AM
"Removed the attendee attention tracker feature."
Oh, I missed that one. https://support.zoom.us/hc/en-us/articles/115000538083-Atten...
by oandrei on 4/2/20, 3:25 PM
I want to share my solution for remote collaboration and teaching: https://github.com/amkhlv/mathpump3
Professor uses Wacom and Inkscape to draw a picture, which is incrementally transmitted to students' computers. Students, those who have Wacom, may interact. Or just watch. Transmission happens every time the svg file is saved. Transmission requires a RabbitMQ server, which can be easily set up. Basically, a class needs one person who knows Linux, to set up the server.
It is intended for scientific collaboration or teaching in small groups of people. I am now using it for teaching my QFT class, although it only has 5 students. In principle, it should scale, but I have not tried it for large groups...
Drawing with Wacom in Inkscape is a pleasure, once you get used to it. In some sense, it is more convenient than using a physical blackboard. Although, some training is needed...
by fvdessen on 4/2/20, 9:53 AM
The moral of the story is once again that focusing on user acquisition at all costs is an effective strategy. MongoDB disregarded reliability, Youtube disregarded copyright, Reddit faked comments, Facebook disregarded privacy. Yet they were all ultimately successful. Could it have happened differently ? Not so sure.
by whatok on 4/2/20, 6:41 PM
For anyone excusing any of this, Zoom is currently a 34bn dollar company. There really are no "whoops, didn't expect to get this popular" excuses that are legitimate for all of these issues; especially when none of these things have to do with scaling and are instead just boneheaded design decisions.
by cmcd on 4/2/20, 2:58 PM
> "We want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption."
Excerpt from their previous release above, only a few hours earlier.
Glad to hear they are starting to make improvements but waiting for public backlash to fix issues is a bad sign.
by jefftk on 4/2/20, 4:42 PM
While I think Zoom has a lot of work to do from a security perspective, overall I think we should be supportive: facilitating -- mostly for free! -- very low friction video calls between an enormous number of isolated people is an incredible service.
by nelsonic on 4/2/20, 9:43 AM
What is a security focussed open source / self-hosted alternative to Zoom with comparable UX?
by kmtrowbr on 4/2/20, 5:27 PM
December 2019: 10M daily participants. March 2020: 200M daily participants. A sustained 20x spike in usage. And it’s still working! I think that’s amazing.
Think through this situation — 90,000 schools suddenly using Zoom, children doing their classes. What is most important: option 1) it just works option 2) it’s 100% secure
Imagine you were a member of Zoom's team, would you not be justified in feeling proud right now?
by juliend2 on 4/2/20, 2:00 PM
I don't know exactly what is the main security issue right now, but as I understand it, it's mostly related to this: https://www.bleepingcomputer.com/news/security/zoom-lets-att... (on Windows).
The windows changelog[1] doesn't talk about a version released on April 1st, like the press release says[2].
So is the only way to mitigate that issue for non-techie users is to deactivate the chat feature for all conversations?
[1] https://support.zoom.us/hc/en-us/articles/201361953-New-Upda...
[2] https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-u...
by Nevada-Smith on 4/2/20, 4:10 PM
"Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment."
Interesting that he would point out the failure of thousands of IT departments around the world.
by talkingtab on 4/2/20, 6:10 PM
Zoom added the Facebook SDK. When they got caught they removed it. Great! But what about a statement that they will provide a user-focused third-party security assessment on a regular basis so that users know there are no other issues?
People need transparency.
by hyko on 4/2/20, 6:18 PM
“It takes 20 years to build a reputation and five minutes to ruin it” -Warren Buffet
They didn’t even bother to build up a reputation; hard to see how they’re going to build respect for people’s privacy and security into their culture now.
by _pmf_ on 4/2/20, 3:24 PM
I find the whole ganging up against Zoom disgusting. Mac-fanbois-cum-security-experts blaming Zoom for the deficiencies of a) their platform not having a working native teleconferencing solution and b) their platforms arbitrary installer policies.
Then there's the issue that Zoom is now suddenly responsible for the complete lack of security awareness of teachers and middle managers who have never before held online classes, and are publicly posting meeting credentials so that everyone can join.
All, of course, while the while world is free loading (yes, "you are the product, hurr durr"; great contribution).
by Dowwie on 4/2/20, 3:46 PM
I think we need to acknowledge the fact that Zoom, and its use of cloud infra, took on 20x peak volume of 2019 within just a few months.
by jasonv on 4/2/20, 5:09 PM
I think this is a necessary move on their part.
And they obviously have the business and engineering talent to make a good product (it's better than their competition, I'll grant).
But how much of their market share came because of some nefarious business and technical practices?
Forgive and forget, 'cause "correction"?
by ivanfon on 4/2/20, 3:21 PM
Off topic, but it would be nice to mention Zoom in the title, it's pretty ambiguous otherwise
by lxe on 4/2/20, 4:03 PM
> On March 27th, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users.
Sounds like folks at Zoom take privacy and security related feedback pretty seriously.
by xenocyon on 4/2/20, 5:33 PM
I'm pretty new to Zoom. It always seems to take me a while to get to the option of using the web browser instead of the executable. Is there an easy way (e.g. URL structure) to force the web-browser-meeting and skip the download dialog?
by yalogin on 4/2/20, 1:14 PM
Through this I learnt, for the first time, that they also send data to Linkedin.
by rado on 4/2/20, 10:19 AM
BS
by jbverschoor on 4/2/20, 10:19 AM
What a load of crap...
First, some background: our platform was built primarily for enterprise customers – large institutions with full IT support
These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform
Never ever gonna use zoom.. I got rid of it a long time ago when I found out about the malware...
by oliwarner on 4/2/20, 12:27 PM
Maaaan, the /wordpress/ in the URL really knocks home how slapdash this whole operation is.
And this wasn't anything but an acknowledgement that they're not qualified to produce the software they're distributing. They still don't even know what they don't know.
by empressplay on 4/2/20, 11:44 AM
I know this is banal but fk these guys.
by NKosmatos on 4/2/20, 6:41 AM
A message in the right direction, but they need to solve the recent macOS security issues. Let’s give them the time to (transparently) correct all the recently reported issues.
by hc91 on 4/2/20, 10:40 AM
Translation: "We are SO sorry that we got caught and that you feel this way about us. Let's see if we can react to this situation fast enough before everyone will start replacing us with alternatives that at least have a better reputation." ... yeah, give me a break!