Zoom's mistake, an opportunity for others

Disclaimer: I am a privacy advocate who helps software companies track customer’s usage of their products.

Zoom is getting a lot of bad press due to its (mis-)handling of privacy and security. Among others, I've read articles in The Intercept1, The Interface2, The Guardian3, and Citizen Lab4.

I think some very important context has been missing in everything I've read so far. Zoom has undergone an unprecedented change in privacy expectations from users who are new to the tool and now they are paying a high price. However, the reality is we could criticise most software companies (and those that report on them) for how they handle privacy. What we should be demanding is a better version of something I call the Privacy Experience. Read on for more...

Zoom's security practices to date have been objectively terrible and I have been skeptical of them ever since their poor handling5 of the security issue last year that allowed any malicious website to enable your camera without your permission. But most, like the ability to join a meeting uninvited (Zoom Bombing), have been addressed already. That's pretty impressive.

Practically overnight, the web-conference software built for a small part of the world's businesses has become a part of daily life for half the world's individuals due to COVID-19 (10M daily users to 200M6).

This means that their product remains unchanged while the context in which Zoom is operating and therefore the expectations of their users, has undergone the world's largest and fastest involuntary pivot.

Zoom has had to deal with "Zoom-bombing" pranksters, scrutiny from the New York Attorney General, targeted attacks7, and probably an extremely disproportionate amount of users on free plans using the service compared to paid business plans. This would have a serious negative impact on their business plan. They have been labelled “Malware”, a “Privacy Disaster”, and described in ways that are totally inaccurate8 because Zoom is in fact a "consumer design for businesses", not "designed for consumers". The only consumers who were using Zoom before COVID-19 would have most probably been those who learned about it at work.

What we see now, is Zoom scrambling to respond by bridging the gap between new expectations of a tool from users that were never the intended audience. This would be the same for consumer-focused WhatsApp if overnight half the world's businesses started using WhatsApp in scenarios for which it was never designed.

I've not read of any malicious wrong doing on their part - the issues have stemmed from either (low) priority being placed on them or not actually knowing the issues existed. Unless you're working in highly secretive environments or value your privacy more than the value you get from using Zoom, there's no reason to stop using it. Though this same statement is applicable to all products with poor privacy measures, particularly those with advertising-based business models like Facebook, Instagram, and Google.

Security aside, there is a lot of surprise about the privacy implications of Zoom’s data collection methods. I wonder if this surprise is genuine or fabricated to exaggerate the demonising labels.

Did you know that this kind of data collection is not unique to Zoom? 99% of software companies that have read these reports are thinking one of two things right now:

  1. So what, we do this too.
  2. Oh shit, we do this too.

Put any software company - particularly B2B - under the same scrutiny as Zoom and you will find they do similar or worse things than what has been reported.

Fact: Companies collect data about us and what we do. I believe the majority of companies that collect data do so with good intentions: to increase sales, improve the product, or learn about their customers so as to add value for both parties. It is unlikely that data collection will stop. Almost everyone reporting on Zoom right now has their sites littered with the same ad networks and tracking tools that they criticise Zoom for. Some use far more.

I don’t think data collection is bad in and of itself. I think it actually doesn't matter. What does matter is:

  1. Consumers are not told what businesses want to collect, why they need it, or who they want to share it with.
  2. Consumers are not asked for permission.

This information is typically written in difficult to understand language buried deep in an unreadable mass of legal text (privacy policy) or poorly designed and annoying popups in an attempt to comply with privacy laws. Which does nothing to inform or empower customers and users.

I refer to this as the "Privacy Experience" – the experience of privacy (or lack thereof) that companies unintentionally create for customers and users when collecting data and publishing only what they’re legally required to. I have researched it over the last year and can count on one hand the companies that do it well. One example is IKEA's latest consent management featires within their app.

Companies have an opportunity to lead by example and go beyond legal compliance to create Privacy Experiences that build trust, which is critical to customer purchasing intent and advocacy.

I'm committed to helping software companies define this new future.

If you lead Product or Marketing at a software company, drop your email address in the form below to hear more from me on this topic. You may also be interested in my Customer Data template which helps you collect data with care and intent.

My head is overflowing with thoughts on this topic so if you want to chat, reach me via email, Twitter, LinkedIn, or Keybase. We can jump on a Zoom call 😂.