Zoom CEO: I really messed up on security as coronavirus drove video tool’s appeal

The whiplash has left Mr. Yuan trying to appease upset users and figure out what went wrong—and rethinking a company culture that for nearly a decade was focused on ease of use.

“‘If we mess up again, it’s done,’ I thought a lot last night,” he told The Wall Street Journal in an interview Friday, after what he said was a sleepless night.

Among the privacy features Mr. Yuan now promises is an option for end-to-end encryption to safeguard conversations, he told the Journal. Zoom had previously advertised such a feature, but security experts discovered the underlying technology provided a lesser level of data protection. The full-encryption feature won’t be ready for a few months, Mr. Yuan said.

He has faced adversity before. His first several applications to move to the U.S. from his native China were rejected, before he was finally able to make the leap in 1997. He worked at a videoconferencing company that was acquired in 2007 by Cisco Systems Inc., leaving in 2011 to found San Jose, Calif.-based Zoom. His priority, he says, was a frictionless user experience for business customers. But that left holes in security settings.

Use of Zoom exploded as the coronavirus pandemic has forced more people to stay home. Where once it enabled client conferences or training webinars, it is now also a venue for virtual cocktail hours, Zumba classes and children’s birthday parties. It became the most downloaded free app on Apple’s iOS App Store, leapfrogging bigger names like TikTok, DoorDash, and Disney+.

The number of daily meeting participants across Zoom’s paid and free services has gone from around 10 million at the end of last year to 200 million now, the company says. Most of those people are using its free service.

Zoom’s initial public offering just under a year ago was one of 2019’s most successful, making Mr. Yuan a billionaire. While the stock market has taken historic tumbles over the past month, Zoom’s shares are up.

But the platform’s surging popularity has attracted trolls and hackers, as well as scrutiny from privacy advocates. The practice of “Zoombombing”—where people gain unauthorized access to a meeting and share hate-speech or pornographic images—entered the popular vernacular almost overnight. Security experts found publicly highlighted problems with Zoom’s technology could leave user data vulnerable to outsiders’ exploitation.

The Federal Bureau of Investigation issued a warning Monday about videoconference hijacking, spurred in part by Zoombombing incidents. In the U.S., 27 attorney general’s offices have raised questions about privacy issues, Zoom said, adding it is cooperating with authorities.

On April 1, Mr. Yuan issued a lengthy blog post on Zoom’s website vowing to devote all his engineers to fixing trust, safety and privacy issues.

“I thought I was letting our users down,” he told the Journal on a video call, using a Zoom virtual background depicting the Golden Gate Bridge. He hasn’t had more than 4½ hours of sleep a night in the past month, he said. “I feel an obligation to win the users’ trust back.”

To some extent, Mr. Yuan is paying the price for well-meaning decisions he made early during the coronavirus crisis. When it hit China late last year, he quickly moved to make Zoom more widely accessible for free so medical professionals and others could remain in touch. When financial analysts in early March asked him how Zoom would stand to benefit from its sudden popularity—then still mainly overseas—he said “support for each other is more important than revenue.”

Though he gives no hint of regretting that choice, Mr. Yuan now says “sometimes you have a good intention, and sometimes you get punished,” adding “we need to slow down and think about privacy and security first. That’s our new culture.”

Security researchers also have scrutinized Zoom’s links to China. Researchers at the Citizen Lab, a security research group affiliated with the University of Toronto, on Friday said Zoom used an encryption technology that is considered substandard, and that in certain circumstances the company stored encryption keys—long strings of numbers and characters that can be used to access encoded communications—on servers based in China.

Brendan Ittelson, head of technical support at Zoom, said because of the distributed nature of the company’s infrastructure, meeting data can be routed through different data centers around the world. Zoom’s system first tries to send this data locally, but if the connections fail, the backup route might send it elsewhere.

The encryption setup could give sophisticated hackers—those working for a government, for example—a way of listening into Zoom conferences, said Bill Marczak, a research fellow at Citizen Lab.

“We’re not claiming that this is evidence that you should forever delete the app,” he said. “If you’re having a virtual hangout with our friends, you’re probably fine. If you’re discussing classified information, you should maybe think twice.”

Zoom had created a system to prevent this data from being sent through China when calls originate in the U.S. But when traffic surged starting in February, some data was mistakenly routed that way, the company said, adding that it has remedied the problem.

Critics also have questioned whether Zoom’s heavy reliance on China-based engineering could pose a security risk.

“Zoom’s operations in China were always a concern, but less of a priority when highly sensitive conversations about company or government secrets—or about people’s private medical health information—primarily took place offline in an office,” said Jacob Helberg, a senior adviser of Stanford University’s Cyber Policy Center and formerly a policy adviser at Google. “Now a significant portion of these conversations have moved to Zoom.”

Mr. Yuan said the Chinese government has never asked for information on traffic from foreign users. Zoom was banned inside China for two months last year because it was a U.S.-based company that wasn’t formally registered in the country, Mr. Yuan said. Zoom formally registered within China last year and, Mr. Yuan, said authorities there care only about local meetings.

The backlash against Zoom hasn’t come just from security professions. Some corporate users have dropped the platform, including Elon Musk’s Tesla Inc. and Space Exploration Technologies Corp., Mr. Yuan said.

“I really messed up as CEO, and we need to win their trust back. This kind of thing shouldn’t have happened,” he said.

Tesla and SpaceX didn’t respond to requests for comment.

The barrage of criticism has left Mr. Yuan feeling like someone has put his company in their crosshairs.

“Every day has felt like something is behind this trying to destroy us,” Mr. Yuan said. But he is too busy right now to spend time on such suspicions.

At this point, Zoom’s mass popularity is something Mr. Yuan suggests he would rather not have had. “Hopefully we can go back to business customers after this,” he said. “But the good news—if we can learn the hard lessons and become better and stronger and we can win users back, in one or two or three years, it may have been worth it.”

He added: “But the journey is so painful.”

―The Wall Street Journal