Working on Security and Safety with Zoom
Last week, after I posted a series of tweets discussing the security challenges for Zoom and how they could respond, I got a phone call from Eric Yuan, Zoom’s founder and CEO. We talked about the significant challenges his company was facing, both in responding to an incredible growth in users but also living up to the security expectations of the moment. He asked detailed and thoughtful questions of my experiences working at companies facing extreme crises, and I was impressed by his clear vision for Zoom as a trusted platform and his willingness to take aggressive action to get there. He asked if I would be interested in helping Zoom build up its security, privacy and safety capabilities as an outside consultant, and I readily agreed.
To be clear, I am not an employee or executive of Zoom and I don’t speak for the company. I have refrained from any public comment on Zoom or discussions with journalists since my call with Eric, but in the interest of transparency I think it’s important to disclose this work. I don’t do a lot of consulting these days; I am generally quite busy with my role at Stanford and I’m proud of the work that team has been doing during this critical time for disinformation. This opportunity to consult with Zoom was too interesting to pass up, however, and I thought I would explain why I have embraced this challenge.
First off, Zoom has gone from being a successful mid-sized enterprise IT company to a critical part of the lives of hundreds of millions in the space of a couple of months. As my CV might suggest, I am attracted to difficult problems and this creates some doozies. As someone who has walked through the galaxy of blinking lights and deafening whir of tens of thousands of servers carrying the sessions of millions of users, I appreciate the effort it takes to build a product that scales. To successfully scale a video-heavy platform to such a size, with no appreciable downtime and in the space of weeks, is literally unprecedented in the history of the Internet. It has been clear to many people who have worked on production-scale systems that something special has been happening at Zoom, and the related security challenges are fascinating.
It’s not just the technical challenges that I am interested in. In a time of global crisis, Zoom has become a critical link between co-workers, families, friends and, most importantly, between teachers and students. The morning Eric called me (and most mornings since) there were five simultaneous Zoom sessions emerging from my home, as my three kids recited the Pledge of Allegiance in their virtual morning assembly, my wife supported her middle-school students and I participated in a morning standup with my Stanford colleagues. Like many techies I have used Zoom professionally for a while, but I admit that there was still a bit of culture shock as my wife taped a daily calendar full of Zoom meeting codes to our eight year-old daughter’s desk.
The adaptation of a successful enterprise collaboration tool into virtual classrooms, virtual doctor’s offices and a myriad of other applications (including at least one virtual Cabinet Room) has created privacy, trust and safety challenges that no company has ever faced. As I told the computer science students in my Trust and Safety Engineering course this last quarter (the last two weeks of which were taught over, yes, Zoom) coding flaws and cryptographic issues are important, but the vast majority of real technological harm to individuals comes from people using products in a technically correct but harmful manner. Zoom has some important work to do in core application security, cryptographic design and infrastructure security, and I’m looking forward to working with Zoom’s engineering teams on those projects.
Still, I’m certain that the real challenge, one faced by every company trying to provide for the diverse needs of millions seeking low-friction collaboration, is how to empower one’s customers without empowering those who wish to abuse them. I encourage the entire industry to use this moment to reflect on their own security practices and have honest conversations about things we could all be doing better. This is possibly the most impactful challenge faced by the tech industry in the age of COVID-19, and together we can make something positive out of these difficult times and ensure that communications are safer and more secure for all.