Washington to Zoom: Welcome to the hot seat
Zoom has zipped at hyperspeed along an all-too-familiar arc for hot Silicon Valley startups — from a ubiquitous D.C. darling to an object of suspicion and scrutiny.
Just weeks after emerging as the video platform of the locked-down era, where millions of people and some of Capitol Hill's biggest players are holding business meetings, yoga classes, play dates and happy hours online, the nine-year-old California company faces scrutiny from Congress and elsewhere for a barrage of security and privacy lapses. Those include revelations about leaked videos, undisclosed sharing of personal data, weaker-than-advertised encryption and a disturbing new form of mass harassment known as “Zoom bombing.”
The furor has already brought a class-action lawsuit in California, investigations by attorneys general in states such as Connecticut and Florida, and pressure from members of Congress to tighten its practices. It also increases the odds that whenever the Capitol returns to normal, Zoom — a company with up to now little-to-no Washington lobbying muscle and almost no history of campaign donations — will join industry giants like Facebook and Google in the hot seat of D.C.’s tech backlash.
The speed of Zoom’s political rise and fall has been dizzying, considering how many years it took for much larger tech companies to see their popularity curdle in Washington.
“There’s a new thing almost every hour,” Justin Brookman, consumer privacy and technology policy director for Consumer Reports, said of the stream of damaging Zoom revelations.
“It’s like if Facebook had operated for 10 years under the radar and all the questionable project decisions that they made kind of got baked in, and then all the sudden they became wildly famous and then it all came to [a head] at once,” he added.
Zoom Chief Executive Eric Yuan, who founded the company in 2011, chalked up its latest woes to the sudden glare of the spotlight, writing this week that “we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.”
The company said the peak number of daily participants on its conferences has multiplied more than 20-fold from December to March, soaring above 200 million a day. Zoom has also quickly become a staple on Capitol Hill, with lawmakers including Senate Minority Leader Chuck Schumer and Silicon Valley's own Rep. Ro Khanna (D-Calif.) publicly using the service for meetings and Q&As with reporters.
Yuan promised to focus the company’s resources over the next three months on addressing the regulatory and consumer concerns. But lawmakers and other government leaders said they’re not letting up until the company takes meaningful steps to fix its flaws.
“My concerns have not been allayed at all,” Sen. Richard Blumenthal (D-Conn.) said Thursday in an interview, referring to the use of “Zoom bombing” to spread hate speech and pornographic content in settings like online classes. "A blog post is no substitute for action and the vile hate groups are continuing to harass Zoom users, intruding on their meetings and spreading their abuse, and I want to see Zoom actually protect its users, not just try to message the problem away.”
Sen. Marsha Blackburn (R-Tenn.) said Zoom’s security lapses could disrupt efforts to cope with the coronavirus pandemic.
“As so many American businesses depend on video conferencing services to keep our economy going during this pandemic-forced new normal, we cannot risk complacency in our online privacy and security,” Blackburn said in a statement. “Zoom must do more to enact stronger security standards and immediately halt unauthorized data sharing with third parties.”
Yuan, a Chinese-born billionaire who worked for rival video conferencing provider WebEx and the networking powerhouse Cisco, helped lead Zoom to a multibillion-dollar valuation in the late 2010s. His company has risen to prominence despite facing steep competition from behemoths like Microsoft-owned Skype, in part due to Zoom's easy-to-use interface and the absence of sign-up requirements.
But as the pandemic has catapulted Zoom into the spotlight, the public pressure on the company and its CEO is only growing.
Blumenthal demanded in a letter Tuesday that Zoom disclose what data it collects, stores and shares. New York state Attorney General Tish James separately pressed Zoom in a missive “to ensure the company is taking appropriate steps to ensure users' privacy and security are protected,” a spokesperson for the AG confirmed to POLITICO.
Sen. Ron Wyden (D-Ore.), a top privacy and cybersecurity hawk, also said Wednesday he’s “looking into” reports of vulnerabilities in the service. “As government agencies, companies, and educational institutions rapidly shift to teleworking, it is vital that the video conferencing tools used by tens of millions of Americans every day are secure,” he told POLITICO.
In interviews with and statements to POLITICO over the past few days, public officials indicated that those efforts are starting to coalesce.
Blumenthal, for one, said he’s discussed his concerns over Zoom’s conduct with Senate colleagues and law enforcement officials, including James and other state attorneys general. “I think there’s some common themes in the scrutiny that Zoom is receiving,” he said, such as privacy, security and harmful content.
Connecticut Attorney General William Tong said Friday that his office is investigating "what Zoom does to protect people on its platform.”
"We’re in the investigation stage and we’ll know more as we get more information from Zoom and through our inquiry,” he said, hours after POLITICO first reported that Connecticut and other states are banding together to look into the company’s practices.
Florida Attorney General Ashley Moody is part of the coordinated effort and has been in contact with Zoom, her spokesperson told POLITICO on Friday. On Tuesday, an online University of Florida student meeting fell victim to a “Zoom bombing” incident in which an intruder on the platform bombarded participants with racist messages, swastikas, pornography and death threats.
In an interview with POLITICO on Friday, Zoom Chief Legal Officer Aparna Bawa said the company fully intends to comply with the information requests it has received from U.S. officials.
"We as a company, our culture is based on transparency, even internally, and we take privacy and security very seriously," she said. "We definitely understand that our customers have choices about what they can use and we have an obligation to take it very seriously. We're very committed to it, so absolutely, yes."
Bawa said other regulatory bodies have contacted the company, beyond those publicly disclosed, but declined to specify further.
Yuan said Zoom will stop producing new features for the next three months and will instead be “shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.” Zoom over the past couple weeks has also added more details about its data collection practices — which included little-known sharing arrangements with Facebook and LinkedIn — as well as its privacy policy. It has also provided users with more information about how to safeguard themselves against abusive content.
Yuan's remarks and the company's policy changes have drawn praise from some privacy and security advocates. Consumer Reports' Brookman, for one, said Yuan's blog post "struck the right tone." "They've been nimble in response to all of these things coming to light," Brookman added.
Bawa told POLITICO the company is also looking to expand its presence in Washington to bolster its outreach efforts, including recently hiring Bruce Mehlman, a former assistant secretary of commerce for technology policy under President George W. Bush and a co-founder of the lobbying firm Mehlman Castagnetti Rosen & Thomas. The company is also looking to add a D.C.-based government relations official internally, she said.
"We're definitely looking to expand our connections in D.C.," Bawa added. "We definitely think it's very valuable to be part of the dialogue."
But lawmakers and advocacy groups say the company still needs to devote more resources toward protecting users.
“Putting the burden on users is unacceptable," said Blumenthal. "They have a responsibility to do it."
The Connecticut Democrat said he's calling on the company to guarantee all U.S.-based users that their communications will be fully encrypted and to extend them the same rights afforded under two of the world's strongest privacy laws, the California Consumer Privacy Act and the European Union's General Data Protection Regulation.
And to curtail abusive "Zoom-bombing" campaigns, the racial justice group Color of Change urged the company in a letter Monday to "commit to a specific plan to combat the intentional trolling of Black users."
Jade Magnus Ogunnaike, the group's campaign director, said the company should also hire a chief diversity officer to handle such issues.
"We know that this is an issue that can be fixed by Zoom," she told POLITICO. "It just requires a commitment to black users that we're not seeing right now."
Bawa said the company will be "definitely looking into" potentially hiring for the role, but declined to commit to extending state and foreign privacy protections to users nationwide at this time.
"We'll take all of these positions very seriously," she said. "As of now, our privacy policy does reflect the commitment that we're able to make. As I say, this is an ongoing conversation."
