Nor was he prepared for the ensuing torrent of security and privacy complaints — and reports of harassment on its video conferencing platform.
“It kind of feels like we've become a target,” Eric Yuan told me last night on a Zoom video call. He appeared before a custom background of The Washington Post's former office. “Now, we just see everyday some negative article. And I just have no idea where suddenly where this is all coming from.”
With big growth comes big responsibility — and scrutiny from researchers and media. As of March, the company had 200 million daily active users, as businesses across the globe shifted to remote work and people adopted social distancing measures. That's up from about 10 million in December.
Just a week ago, the service was broadly seeing positive feedback for its work to bring classrooms online and connect quarantining friends and family. This week, reports of harassment known as “zoombombing” — such as trolls sharing pornographic pictures during online classes and interrupting university lectures with racial slurs — became so widespread that the Federal Bureau of Investigation issued a warning about using the service. The reports of security and privacy flaws caught the eye of policymakers, who are seeking more details from the company.
Now Yuan is on a mad dash to right the ship. Since starting the company nearly a decade ago, he's believed videoconferencing would go mainstream and facilitate working from home. Coronavirus, he says, has catalyzed that shift — and he wants to be sure Zoom's newfound reputation issues don't prevent it from being at the center of that revolution.
“I don't want to be only the most scalable platform,” Yuan told me. “I want to be the most secure.”
Yuan announced this week he would freeze all new product development until it corrects the privacy and security issues. He also told me he wants to hire more employees to review harassment on the service — but he did not specify how many full-time hires the company would make. Yuan also plans to make more security and privacy settings available to users by default.
Here's our interview, edited for clarity and length:
Technology 202: There's been a slew of reports about zoombombing — someone trolling an Alcoholics Anonymous meeting or taking their pants down during a company conference call. Did you ever anticipate when you were building Zoom that it would be abused in this way?
Eric Yuan: No. It doesn't make any sense. Maybe it's driven by all the online classes suddenly. It's a wake-up call. We need to have a preconfigured package just for online school.
How many trolls have you blocked on the service?
I do not know the exact number. (Note: The company also declined to provide this information.)
Other companies such as Facebook that have had content moderation issues now release regular transparency reports about how many accounts they're blocking. Is that something that Zoom plans to do?
I’m also going to do a weekly webinar where we share what we’ve done last week, what we’re doing this week to stay close to the community.
This is a crisis time. A lot of people are counting on Zoom. I want us together with the community because together we can build a much better platform.
Do you think there are lessons that you can learn from some of the other social network networks that have dealt with abuse, as you're approaching some of these problems?
I’m learning. We are more like a business software service company. Suddenly we’ve become like a consumer brand.
We are learning very very hard how to do that. And we don’t want to let the world down.
We are learning from those consumer companies, what they did. It’s not easy for us, it’s something new.
Do you have the resources in place right now to deal with increased political and regulatory scrutiny?
When the FBI got involved, I told our team we're excited. That's great. The FBI is also going to help as well. Because we share the same goal.
We want to understand why those people want to bomb into to the classroom. We need to identify those people. At the same time, we need to enforce the best security practice. Ideally we can find those bad people. That's a way to make this service better.
Your service was built for business customers, but suddenly you have people using it for everything from happy hours and proms to government meetings and preschool classes. As of today, do you have the security and privacy practices in place to support that uptick in activity?
We do. Let’s take the K-12 school for example. We offered a free service to help. [It was] expensive [and] a lot of effort. However, looking back, probably we could have done a better job.
We took quick actions, and probably we need to take a step back to train the teachers first and also maybe enforce some security features.
The first week was pretty good actually, online class and a ton of positive feedback. And then suddenly some people are hacking into the classroom and we realized, you know, we need to do this option to offer IT support. We enabled that only a teacher can share a screen by default. Enabled a password.
And also we’re trying to understand what had happened: Why would a hacker hack into the classroom? They are not going to learn calculus or Algebra. So you look at social media. Some students just don’t like online class. They just want to target some online classroom, and destroy that.
Why should teachers and other users, regular people, continue to trust Zoom after these reports of zoombombing and other security issues?
Zoom is not a one-year-old company, it’s a nine-year-old company. Over the last several years, we have a lot of enterprise customers, business customers where we built trust.
Even with negative articles, I did receive a lot of very positive feedback. I’m not saying everything is perfect because we keep everything open and transparent. Our intention is to really to leverage the technology to help the world.
We are not going to get distracted by all those negative articles, but we are going to get better, stronger.
Are you hiring more people to deal with the harassment problems?
We are going to hire a lot, but I'm not sure how many people full time. For sure we are going to double down or triple down on this.
You've offered guidance to customers about how they can protect their meetings, but what product changes are you making to address harassment?
First of all, every meeting, class on classroom, you have a password enabled. And another thing, don't let a student share that classroom link. And after all the students are already in the class … lock the meeting.
We have all those features built in. A business customer like [The Washington Post] has an IT team to [configure it]. And with the onboarding process, you get everything. [But individual users and teachers don't have access to that same support.]
This is a crisis, and we never focused on K-12 before. We should have created a K-12 package, and all those things should have been preconfigured and then given to them.
The blog post that you put out has been widely praised by security researchers. When did you decide that you were going to make that major move to stop developing new products?
I feel like I really needed to do all I can to make sure we don't let our beloved users down. Regardless of what had to happen before, we needed to just take a step back, double down, triple down, double check.
I don't want to be only the most scalable platform, I want to be the most secure.
To do that, it's not only Zoom's work, we need lot of people's help. From the security community, senators, we have a bug bounty program, we have a lot of customers' [chief security officers] join our CSO council. We stopped the features because we want to keep everything open, transparent.
What are you doing to make sure that Zoom is operating properly and doesn't get overloaded by the surge in traffic?
We have seventeen data centers worldwide, and we get help from Amazon and Oracle, the public cloud providers. They're helping us as well to get us more servers. Our team really works 24 hours around the clock to make sure the service up.
Over the past several days, these negative articles and this PR crisis have made it worse. I’ve slept probably four or five hours [a night] to focus on capacity. Now it’s only two or three hours because of this. We will get through that and come out stronger and better.
There have also been stories about all the ways people are coming together on Zoom during this pandemic and the stay-at-home orders. What are some of your favorite ways that people have been using Zoom?
The online wedding ceremonies. I saw a lot of pictures. I'm so touched.
This is their once in a life moment, and they’re using Zoom. I think that’s very cool.
BITS, NIBBLES AND BYTES
BITS: Google is tapping its massive trove of location data to aid in the global effort to contain the novel coronavirus, my colleague Tony Romm reports.
The company says government experts in 131 countries -- down to the county level in the United States -- will soon be able to see if people are choosing to heed advice and stay home. Google’s data will allow the officials to see whether people are traveling more or less to grocery stores, pharmacies, parks and other businesses.
The data is shown as aggregated statistics, and the company isn’t publishing the real-time movements of individual users or the places they have visited, Jen Fitzpatrick, a senior vice president, and Karen DeSalvo, Google’s chief health officer, said in a blog post. It’s the same technology that powers the Google tool that predicts how crowded a restaurant or bar is.
“In doing so, Google’s project has illuminated the growing global debate over the role that data-rich tech giants should play in a public health crisis,” Tony writes. “With detailed dossiers about billions of users at its disposal, and insights about their behavior that rival what most governments can discern on their own, the whole of Silicon Valley is confronting an unprecedented dilemma — how to balance people’s privacy with fighting a pandemic.”
The search giant also signaled it would share anonymous “mobility” data with select, unspecified researchers that would help them “forecast the pandemic.”
NIBBLES: A top Amazon executive suggested the company’s senior leaders push back against workplace safety criticism by trying to shift the focus on an activist warehouse worker it had fired just days earlier, according to leaked meeting notes obtained first by Vice's Paul Blest. The inside look at the meeting, which Amazon chief executive and Washington Post owner Jeff Bezos reportedly attended, provides a rare glimpse into how top company executives approach the efforts by workers to obtain safer workplace conditions and better pay.
“He’s not smart, or articulate, and to the extent the press wants to focus on us versus him, we will be in a much stronger PR position than simply explaining for the umpteenth time how we’re trying to protect workers,” Amazon General Counsel David Zapolsky wrote about recently fired worker, Chris Smalls. “Make him the most interesting part of the story, and if possible make him the face of the entire union/organizing movement.”
My colleague Jay Greene confirmed the contents of the email.
Amazon says that Smalls was fired for going into work after he was instructed to go on paid sick leave after coming into contact with a co-worker who tested positive for the coronavirus. Smalls claims the company retaliated against him for organizing a walkout on Monday.
“I was frustrated and upset that an Amazon employee would endanger the health and safety of other Amazonians by repeatedly returning to the premises after having been warned to quarantine himself after exposure to virus Covid-19,” Zapolsky said. “I let my emotions draft my words and get the better of me.”
Zapolsky noted that other executives, including the company's head of human resources and head of operations and customer service, generally agreed with the strategy. Executives also discussed how Amazon could generate goodwill by donating masks to police departments and its struggle to source masks from China.
New York state and city officials are now investigating Smalls's firing.
BYTES: Google will revise its ban on political ads about the coronavirus after facing pressure from Democrats who said it would give Republicans an unfair advantage in campaigning, Emily Birnbaum at Protocol reports. The company will release guidance for political advertisers in the next few days. Government entities, medical providers and nongovernmental organizations will also be able to advertise about covid-19 with some limitations as of yesterday.
“We also realize that covid-19 is becoming an important part of everyday conversation, including a relevant topic in political discourse and for many advertisers in different sectors, and we're planning to allow more advertisers to run ads related to covid-19 as soon as we're able to do so safely,” Google said in a statement.
Google previously only allowed covid-19 ads from government agencies. Political advertisers on the left who slammed Google's ban on political coronavirus ads expressed cautious optimism about the new guidelines though they expressed frustration the company didn't release a timeline for the changes.
“It's obviously the right move — I don't know how they thought that was a tenable position,” Patrick Stevenson, the chief mobilization officer of the Democratic National Committee, told Emily. The old policy hamstrung Democrats from running ads criticizing how Trump and other Republicans handled the pandemic, Democratic strategists previously told Emily.
Some political strategists are still reluctant to use the crisis in ads, however. “I think as a matter of strategy you shouldn't be using terms like 'coronavirus' and 'covid-19' to market to voters right now,” Eric Wilson, a Republican digital strategist, told Emily.
Google also announced that it would put more than $6.5 million in funding to fact-checkers and nonprofit organizations fighting misinformation around the world, starting with coronavirus misinformation, Sara Fischer at Axios reported.
— Venture capital-backed start-ups will be eligible for nearly $350 billion in small-business loans after initial confusion over whether they could qualify for coronavirus stimulus relief for small businesses, House Minority Leader Kevin McCarthy (R-Calif.) told Axios's Dan Primack yesterday.
“I just got off the phone with Treasury Secretary Mnuchin, and this is going to be solved,” McCarthy told Dan.
The Treasury Department will issue guidelines within in the next day or two, McCarthy said after talking with Mnuchin. Initially it seemed like start-ups would be excluded from the “Paycheck Protection Program,” which provides loans of up to $10 million to companies with fewer than 500 employees, because of complex affiliation rules that predate the coronavirus rescue package.
House Speaker Nancy Pelosi (D-Calif.) and Rep. Ro Khanna (D-Calif.) also wrote to Mnuchin and Small Business Administration chief Jovita Carranza on Tuesday urging them to clear up the confusion, as we first reported.
—A more than two-year delay in updating the website of the D.C. Department of Employment Services has added to chaos at the agency as residents flood the agency with unemployment claims, my colleagues Fenit Nirappil and Darran Simon report.
“Because the online claim-filing system relies on programming language dating to the 1950s, it took more than two weeks for developers to remove a question about applicants’ efforts to find other jobs, even after officials waived that requirement,” they write.
— More news from the public sector:
— News from the private sector:
— News about the tech workforce: