Zoom Is a Nightmare. So Why Is Everyone Still Using It?
Since the coronavirus started spreading, our little computer and phone cameras have become windows from our isolation, looking into other people’s lives, catching glimpses of pets, children, and spouses in the background of video calls. I find these moments deeply humanizing; reminders that we’re not perfect work machines, just people trying to do the best we can. Our hair is messy, our faces poorly framed and lit. Sometimes we leave the mic on when we go to the bathroom.
Through this tiny lens we see the ambient background of life: people working in kitchens, bedrooms or spare rooms, the hoarded detritus of life piled behind them. A colleague, I learned from a video call, uses an ironing board as a desk. Another works from the sofa. One collects stuffed hedgehogs. You’ve probably had similar insights about your colleagues. Quite possibly you’ve learned many of these things through Zoom.
Until a few weeks ago, Zoom was barely known outside of the world of enterprise IT. But now it is everywhere. Schools and hospitals have it, before being taken into intensive care the U.K. prime minister spoke to the cabinet through it, even my mum’s ukulele group uses it. Zoom has added more customers in the last month than it did in the previous year.
In many ways this is surprising. The videoconferencing market is saturated with big names. Yet somehow, over the last few weeks, Zoom has become synonymous with videoconferencing.
“What is this black magic?”
When I ask people why they use Zoom, I repeatedly hear the same thing: It’s easy to get started. Even Zoom’s competitors say this. Jim Mercer worked at GoToMeeting when he first tried it. “One click, we were in, and there were 25 feeds of participants at the same time,” he said. “We were like, ‘What is this voodoo?’” His words are echoed across the industry. Security researcher Jonathan Leitschuh became fascinated by how an “amazingly simple Zoom feature” worked. “What is this black magic?” he wondered.
The answer caused Zoom to shoot to prominence in the security community last July for all the wrong reasons. If you don’t follow security exploit news, then you might think that experts thought Zoom was secure before the pandemic hit. But, they didn’t. Last summer, Leitschuh discovered Zoom secretly installed software to bypass security mechanisms so it could launch with fewer clicks. This came at a cost. It was equally easy for hackers to start webcams and secretly watch users without their knowledge. Worse, the bug remained, even if the user uninstalled Zoom. Zoom’s witchcraft was a deal with the devil.
Zoom has added more customers in the last month than it did in the previous year.
To give a sense of the seriousness of this security issue, within three days Apple force-deployed a silent update to every supported Mac in the world to remove the Zoom component. According to TechCrunch, Apple has never before taken “action publicly against a known or popular app” like this.
Yet, Zoom defended its decision. “Our customers have told us that they choose Zoom for our frictionless video communications experience,” the company wrote in a blog post. Even Zoom’s chief information security officer supported bypassing security measures: “Installing this process in order to enable users to join the meeting without having to do these extra clicks — we believe that was the right decision.”
Security experts compare Zoom’s behavior to a virus. When you first use the app, it installs itself before you press the install button. Like a virus, it is riddled with careless mistakes. When I peeked at the code, I noticed a process called “zoomAutenticationTool.” That’s not my typo, but a misspelling in the application code itself. Another message reads, in broken English: “System need your privilege to change.” Zoom is like a phishing attack, designed to weed out the gullible. As we shelter in our homes from one virus, we’re opening our computers up to another one.
What’s more, the company just lies. Even today the website claims in multiple places that Zoom supports end-to-end encryption. This is another bit of devilry since, “group video conferencing is difficult to encrypt end to end,” according to professor of computer science Matthew Green. Generally, there are two choices for group video — it can be encrypted or it can work well. So how does Zoom manage to do both? Quite simply: it doesn’t. Its website lists encryption as a feature, its security white paper covers it, but Zoom cannot do it. Although they’ve promised to try.
The company’s response at times engages in a Wittgensteinian debate about the nature of language itself. “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” a spokesperson told The Intercept. But this is not what everyone else means by end-to-end encryption. It’s difficult not to compare Zoom with Humpty Dumpty in Alice Through the Looking Glass, making up his own definition for glory. When Alice challenges him he responds, like Zoom, “When I use a word it means just what I choose it to mean.”
There’s no glory in Zoom’s end-to-end encryption.
As a result, Zoom is banned by the U.K. Ministry of Defense, SpaceX, Apple, Google, NASA, and many school districts, including New York City public schools. The FBI issued a warning about its use, the New York State Attorney General launched an inquiry and it was sued in the U.S. Federal Court.
Zoom continues to see its usage grow. It’s easy. It has name recognition. It “just works.”
Slack, Zoom, Google Hangouts: Are Your Remote Work Apps Spying on You?
It’s time to double-check your settings
A bunch of borrowed resources
No one expected Zoom to do well. There was just so much competition. And not any old competition: Microsoft, Google, Apple, Facebook, Cisco. When Zoom launched, investors were skeptical. “It would require flawless execution,” said one. Even those who did invest were pessimistic. “Everyone in venture capital thought it was a terrible idea,” said Jim Scheinman of Maven Ventures. “Most investors incorrectly thought that the existing products like Skype, Webex and others were solving this problem.”
Zoom was founded by Eric Yuan, a software engineer from the videoconferencing company Webex. In 2007, Cisco bought Webex and promoted Yuan to run the engineering team. But, according to Forbes, after three years Yuan could see there was a problem with Webex: “The service simply wasn’t very good.”
Videoconferencing is difficult. Users need to install complicated pieces of software, create accounts, and click alerts to access cameras and microphones. It has to support a variety of devices, all with different capabilities, and users trying to connect on weak Wi-Fi that keeps dropping. Too many people on a call at the same time strains connections. People are not very good at video calls. The smallest delay causes people to talk over each other or stop talking, creating awkward pauses. When it becomes too frustrating, it’s easier to just pick up the phone.
Yuan left Cisco and set out to build a cloud videoconferencing application that would solve these issues. He hired a development team in China and took with him 30 former colleagues. One Cisco senior manager described Zoom to Forbes as “a bunch of borrowed resources from Webex.”
The focus on ease of use, at the expense of everything including security, helped Zoom overcome barriers. And, unlike competitors, Yuan had a clean slate to start from. Software gets out of date quickly and Cisco, Microsoft, and others had an issue that Yuan did not: legacy code. Yuan did not have old software to maintain, so his energy went into building a new product using the latest technologies. At Cisco, Yuan had predicted this: “Someday someone is going to build something on the cloud, and it’s going to kill me,” he said at the time. As it turned out, he was that someone.
Zoom is like a phishing attack, designed to weed out the gullible.
Just look at the alternatives to Zoom. Google Hangouts is unreliable, with strange UI features, the result of a confused and fractured product line of apps: Google Buzz, Google Allo, Google Messages, Google Voice, and so on. Apple introduced basic group FaceTime barely a year ago and it was quickly exploited by a teenager. And even after fixing the security flaw, FaceTime itself is exclusive to Apple. This renders it unusable if even one person doesn’t have a modern Apple device. Skype has languished under Microsoft. Expectations have increased over the years and it has not kept up, offering lower quality video and unreliable service. WhatsApp video doesn’t work on desktops or iPads. And even if you look past these issues, most products have restrictions. Skype has a 50-person limit. Google Hangouts only allows 10 participants.
While the competition seems steep, when you get down to it, most products rule themselves out with one or two major showstoppers.
Your administrator has updates for you
There is another thing Zoom has going for it. Many users don’t have a choice. If your company or school starts using Zoom, or if you want to join a public event that is broadcast on Zoom you can either join by Zoom or you cannot go to the meeting.
Zoom pursued companies aggressively. “Our platform was built primarily for enterprise customers,” Zoom wrote on their website as an explanation for their shortcomings. But, as John Gruber points out, while this may be true, it is disingenuous: “It makes no sense […] that a product purportedly designed for the enterprise would have lousy security and privacy.” Maybe it would be more accurate to say Zoom went after enterprise customers at all costs. Justifying one issue, Zoom’s chief security officer said, “it was [at] the request of some of our customers.” Zoom’s customers wanted features that were impossible to implement without hacks. And to land the contracts, Zoom hacked.
Once an IT department deploys Zoom to its computers and phones, employees have no choice. If mandatory team meetings are on Zoom, employees have to join. When questioned about Zoom, a U.K. government source said, in a line that you could imagine appearing on the Zoom website: “The app was quick to set up between the varying systems used by different government departments.” Zoom was easy to install, and in the current climate, the government needed it to work more than they needed it to be secure.
The source added that “over time, a more coherent system was expected to be introduced,” but I can already see that falling to the bottom of the IT to-do list. Rolling out technology at scale is hard, but even harder is unrolling out technology. Once users have something that works, it is hard to move to something that gives no additional value, especially if it requires more clicks. Contracts are difficult to end and during this time of international belt-tightening does anyone really want to pay more to carry on doing what they were doing?
Why not use Zoom?
While Zoom claims to be an enterprise product, it has been courting consumers for a long time. It has free tiers and features that are hard to believe were put in to satisfy business needs: virtual green screens, a “Touch up my appearance” feature, and integration with the Snap Camera that lets you join a meeting as a potato.
I’ve been pondering this for a while: How do people pick a new piece of software? When I’m choosing an app just for me, I might browse through an app store or look at recommendations. Where possible I want an app that I can trust. Trust is a slightly woolly concept, but in this context it can just mean an app that I’ve heard of. We’re more likely to use Zoom, just because we’ve heard other people talking about it, than we are to use, say, Highfive or Zoho Cliq. Even though they might be better.
And videoconferencing, like messaging apps, requires a joint decision, which is hard, as anyone who has tried to choose a restaurant with a group will know. Regression to the mean kicks in and people consolidate around the least offensive option. Zoom was in prime position to be exactly this. It was easy to use, was familiar from work, and had a free tier. And who doesn’t want their wrinkles to be smoothed?
When rolling out Slack, Stuart Butterfield discussed the difficulty of getting traction. “Every member has a veto — multiplying the product’s risk of rejection,” he said, “If one engineer at a startup tries Slack and says, ‘I hate it. I am not going to use this,’ that’s it for us.” Zoom benefited from this as it became the default choice. In social settings people go for what they know, and are happy with a simple solution. My mum’s ukulele group, for example, isn’t going to issue an RFP and run a procurement exercise. They don’t even want to try different video apps, they just want one good enough so they can get back to their ukuleles.
It’s hard to be the person to say to all of your friends, “actually, I don’t want to use Zoom because of its security issues.” There’s a risk of sounding like the conspiracy theorist in a tinfoil hat. If you veto Zoom, it becomes your responsibility to find an alternative, and as we’ve seen, the competitors have issues. Far easier to submit to peer pressure when someone says, “shall we just use Zoom as we all know it works?” The reality is most casual users will never experience any problems from Zoom’s lack of security and privacy, and so the issues become difficult to care about in practice.
Rolling out technology at scale is hard, but even harder is unrolling out technology.
One of the things I find strange is that for an app that is famously easy to use, Zoom actually… isn’t very easy to use.
A criticism Yuan leveled against Webex was that it “lacked modern features like screen-sharing for mobile.” But the instructions for screen-sharing on Zoom’s iOS app consist of 13 byzantine steps, including changing control center settings and obscure features that most users will be unfamiliar with. Many users will never realize they can do this.
More generally, the interface is confusing. For new users, it’s easy to end up in one meeting with everyone else on hold in another, waiting for the leader to join. The controls are inconsistent across platforms and Zoom’s default settings are unhelpful. The web application is disabled, meaning users have to install the application rather than opening their browser. For all the talk of simplicity, Zoom has made some bizarre choices.
But, you know what? It’s good enough. Many people using Zoom today will have no prior experience with videoconferencing so have nothing to compare it with and will be unaware of viable alternatives.
As David Hansson, creator of Ruby on Rails and founder of Basecamp, says, “What pains me about Zoom being such sleazeballs when it comes to both security and privacy is just how unnecessary it is.” In a way, I understand (even if I disagree with) their decision to bypass security features to make the app easier to install, but using private video to sell ads is an unnecessary own goal.
With the coverage of Zoom recently, the company has dropped into the trough of disillusionment. People are looking for alternatives and Zoom has published statements and even offered a webinar (that you had to use Zoom to join), promising to do better next time. Yuan declared “a feature freeze, effectively immediately, and shift[ed] all our engineering resources to focus on our biggest trust, safety, and privacy issues.”
In a way, I feel sorry for Yuan and his team (at least, as sorry as I can for a multi-billionaire whose product plays fast and loose with security). “Eric Yuan founded Zoom in 2011 to deliver happiness,” his profile on the Zoom website reads, and I can’t tell if that’s WeWork-style chicanery or guileless naivety. Yuan didn’t ask for Zoom to be thrown into the spotlight so abruptly. The world turned its attention on his software sausage factory, peeled the skin and spotted all the rat meat. For years, Yuan’s team have had non-technical customers demanding features that required security to be compromised and, while it was their responsibility to push back, money was on the line. The very media outlets that are now criticizing Zoom have been praising it for years. Zoom “turned frustration into a $1B valuation,” “mastered the art of profitable growth,” and offered “leadership lessons in execution & authenticity,” Forbes said just last year. Now their headlines read: “most should avoid an ‘out of control’ Zoom.”
In many ways the most worrying thing about this is how many other companies behave in a similar way to Zoom, but haven’t had this level of public scrutiny. This is not to let Zoom off the hook, but the whole system we have shares some of the blame. It’s hard not to point fingers at capitalism, at least a little bit. As I write this, Zoom’s shares are trading at twice the price they were a year ago. Investors heap praise on companies for making money and consumers rush to what is easy and cheap. Is it a surprise that Zoom crossed the line?
I’ve decided this all comes down to dancing pigs. Bruce Schneier described it like this in his 2000 book Secrets and Lies: If a user “clicks on a button that promises dancing pigs[…], and instead gets a hortatory message describing the potential dangers of the applet — he’s going to choose dancing pigs over computer security any day.”
I find myself using Zoom, joining dozens of calls and conferences each week through it. Zoom offers something the world needs. And the world needs it enough that even governments are holding their noses and clicking install. The question is: once these “exceptional” times are ceptional again, will people and companies drift away to “more coherent systems,” or will the lure of setting your background to the Death Star be enough to keep us all on Zoom?