Zoom’s Board Of Directors Should Commission An External Investigation On Security And Privacy Lapses

By Patrick Moorhead - April 23, 2020

This morning, Zoom CEO Eric Yuan published an update to the company’s 90-day plan to improve the service’s well-documented security and privacy issues. Zoom needs to act fast else see its future business prospects fade into oblivion. We’re already seeing class-action and investor lawsuits and this is just the beginning. The company seemed to be doing well flying under everyone’s radar until the COVID-19 virus thrust its admitted lack of privacy and security into the spotlight. It got so bad that the FBI needed to issue an alert here. The company also admitted that its service, does not, in fact, support AE256 encryption, end- to-end encryption and that it cannot guarantee secure geofenced encryption keys. Zoom says it actually support TLS encryption for data transport, AE128 encryption, a home-grown modulation scheme and admitted to storing keys in China for some calls between the US and Canada. Not good at all.

This morning Zoom announced that it would:

  • Form a CISO Council and Advisory Council within that council with companies from HSBC, NTT Data, Procore, and Ellie Mae. Zoom says “The purpose of the CISO Council will be to engage with us in an ongoing dialogue about privacy, security, and technology issues and best practices — to share ideas, and collaborate.”
  • Alex Stamos, a Stanford Adjunct Professor and former Facebook CSO will join as “advisor.” Zoom says, “He is a fan of our platform and will no doubt help us implement controls and practices that are best-in-class.”
  • Zoom will host weekly privacy updates to the pubic. This is a really good move toward transparency and will be sure to attend each one of them.

I believe these are good moves by Zoom, but still don’t do enough to demonstrate the level of trust that the company needs to regain. In my 30 years of work as technology executive and now President and CEO of a top-ranked tech industry analyst firm, I have personally served on many boards and currently sit on no less than ten “advisory councils.” The CISO Council, Advisory Council, and adding the much-respected Alex Stamos mean little to me without knowing what happened inside Zoom for it to get to this place without a huge degree of transparency. What we don’t know is how all of this happened at Zoom, why it happened, and who authorized it. Advisory boards are only as valuable as the insider information Zoom will be willing to share, and that matters.

Therefore, I recommend the Zoom Board of Directors:

  • Commission an outside firm to audit how Zoom made its admitted privacy blunders and how and why it misled the public on its degree, method, and type of security protocol. This report should be made publicly available. I interface with many boards of directors, have served as a chairman of the board, and will tell you that boards do this a lot. Given the class-action lawsuits that are already being levied on Zoom, if it goes to discovery, this information will surface anyways but could take years. If there are settlements, we may never know this information. I believe Zoom’s customers deserve answers now, not in a few years when and if this blows over.
  • Live-stream, on Zoom, of course, the CISO Council and Advisory Board meetings and publish a written transcript.
  • Alex Stamos public report, within two weeks, on Zoom’s security and privacy lapses we don’t know about yet.

The Zoom Board of Directors include Bart Swanson of Horizon Ventures, Carl Eschenbach of Sequoia Capital, Dan Scheinman an “Angel Investor”, Eric S. Yuan of Zoom, Jonathan Chadwick a “Private Investor”, Kimberly L. Hammonds, Independent Board member, Peter Gassner of Veeva Systems, and Santi Subotovsky a partner at Emergence Capital.

I’ll reiterate- the most important question is if we can trust a company who has said so much that turned out to be wrong for so many. I genuinely want Zoom to succeed as it set a certain bar for consumer experience, granted sometimes at the expense of privacy and security, but pushed its competitors to do better. More competition is always better to increase and accelerate innovation and lower costs. I also passionately believe that privacy and security is a fundamental human right and companies that violate the government, consumer and business trust must be held to account. I make mistakes myself and there’s no tech business that’s perfect on privacy and security at all times because it’s a constantly moving target, but I think many of the things Zoom has admitted to are different and signify a cultural issue that must change.

Patrick Moorhead
+ posts

Patrick founded the firm based on his real-world world technology experiences with the understanding of what he wasn’t getting from analysts and consultants. Ten years later, Patrick is ranked #1 among technology industry analysts in terms of “power” (ARInsights)  in “press citations” (Apollo Research). Moorhead is a contributor at Forbes and frequently appears on CNBC. He is a broad-based analyst covering a wide variety of topics including the cloud, enterprise SaaS, collaboration, client computing, and semiconductors. He has 30 years of experience including 15 years of executive experience at high tech companies (NCR, AT&T, Compaq, now HP, and AMD) leading strategy, product management, product marketing, and corporate marketing, including three industry board appointments.