To IGU, re Zoom's integrity

Hi IGU,

It astounds me that you keep attacking Zoom on the basis of management integrity, their CEO being the most dedicated CEO to his customer’s happiness and success that I have ever seen in all my years of investing. I must admit that the concern I had at one time was whether he was excessively focussed on helping his customers rather than stockholders, but as the stock price has risen with increasing earnings and cash flow, I set that concern aside. I acknowledge that he may have been a bit naive about how hackers would attack his platform as it rocketed into prominence, but he seemed to take immediate steps to remediate the problem as it came too light.

At any rate, a 4% drop for a stock that is up over 100% year-to-date, seems to show that the market doesn’t consider this a threat to Zoom’s eventual success.

Since you seem so concerned about denigrating management’s honesty and integrity, when management’s integrity seemed to me to be the most prominent aspect of the company, and the thing that set it apart from many other companies, and in the light of your repeating that attack over and over, I have to wonder whether you happen to be short Zoom, and just haven’t gotten around to mentioning it to us yet, or whether you are just doing it out of the goodness of your heart.

Best,

Saul

I’m a ZM investor.

I for one appreciate IGU bringing to my attention something that I didn’t know about and something that I now will keep an eye on. Doesn’t mew. His point of view is correct, but it is something to be aware of.

More knowledge we have about our investments the better. I for one always want to know the good the bad and the ugly in regards to the companies I invest in or decide not to invest in.

Isn’t this what discussing investments is about?

TMB

At any rate, a 4% drop for a stock that is up over 100% year-to-date, seems to show that the market doesn’t consider this a threat to Zoom’s eventual success.

In the market it feels more to me like a “wait and see”. I’m heavily invested in Zoom, and this news was like a face-slap with a wet trout. I wondered if maybe it was overstated, that maybe, as you suggest, it might have been a short play…

…but then at work this morning a co-employee mentioned it. Twenty some people on the call, and the disappointment was palpable (not sure how you quantify gasps, tsks, etc on a mass call like that). So whether or not we think it’s true or even relevant, the perception is out in the wild now. The Zoom buzzword that was on everybody’s lips is tainted.

So all I can say is the Zoom management team better get out in front of this ASAP, as aggressively as possible, and not only contain the damage, but make sure there is no way they can legitimately be accused of doing this again.

At any rate, a 4% drop for a stock that is up over 100% year-to-date, seems to show that the market doesn’t consider this a threat to Zoom’s eventual success.

Since you seem so concerned about denigrating management’s honesty and integrity, when management’s integrity seemed to me to be the most prominent aspect of the company, and the thing that set it apart from many other companies, and in the light of your repeating that attack over and over, I have to wonder whether you happen to be short Zoom, and just haven’t gotten around to mentioning it to us yet, or whether you are just doing it out of the goodness of your heart.

I believe that today’s 4% drop coupled with prior declines is an opportunity to add to Zoom and have done so.

Wile I surmise that the concerns articulated by IGU are real, after all they are somewhat widely shared, enough so that some investigations have started, I don’t see the need to be concerned. ZM can easily fix the problem and stands to gain if they do. They will certainly not lose.

Further I have noted in several places (but I did not record references) that the CEO of ZM really is concerned about customers and good service. So I’m betting a large chunk of change that he will do so.

I think the ZM privacy concern will be a very short lived episode and the stock will do great.

Here are some comments.

John Gruber’s daringfireball post which attacked ZM, also has him admitting that ZM is the best of breed! https://daringfireball.net/2020/03/regarding_zoom

Alas, Zoom’s video conferencing technology is best of breed, and because Zoom is easy to use and the quality is so high, it is exploding in popularity now that the whole world is working and socializing remotely.

Doc Searls in his weblog states that ZM promply updated their privacy policy.

https://blogs.harvard.edu/doc/2020/03/30/zooms-new-privacy-p…

I personally see Eric Yuan as one of the most sincere and great CEOs in the tech world.

Privacy issues can be fixed. And eventually everyone has no other option but to abide by them, think GDPR, CCPA.

ZM should do great and these issues will go away.

Cheers!
ron

long <AYX, DDOG, OKTA, NET, ZM, CRWD, SQ, ROKU>

Hey Saul,

It rather astounds me that you are questioning my integrity in reporting carefully sourced facts about a company that people here are very interested in. Is there anything I have said that is not informative? Haven’t I been very clear that there’s no particular reason to think this will affect the success for the company? No, I am (as I have said several times) not invested in ZM, and I’ll be more explicit here in saying that my non-investment is of any type, long short or sideways. So yes, I’m insulted by your insinuation.

The concern I have is not so much the security holes, it’s management integrity and honesty. The evidence so far is that they are reactive, not making things better until they are caught and publicly called out. These are not simple “oopsie” bugs, they are deliberate actions taken to make things easier for them. And it’s hard to express just how extreme Apple’s actions were last year in pushing out a silent update to remove Zoom’s bogusly installed server. If indeed Zoom cares about its users then it is only the segment of users who consider privacy and security a minor afterthought.

There is much more detail at the article at The Intercept, summarized here:
https://daringfireball.net/linked/2020/03/31/zoom-e2e
It is not particularly technical. If you care to read it you’ll see that they make it very clear that Zoom’s actions are deliberate and deceitful, not simply accidental or bugs.

In any case, I’m sure I’ve posted more than enough on the topic to make people aware. Since you don’t appreciate my contribution and it’s your board, I’ll retire from the discussion. Be assured I’ll be much less likely to say anything about anything in the future.

-IGU-

I have to wonder whether you happen to be short Zoom

Why does that matter? What he shared is public information. We can decide for ourselves. Hearing only the pros and not the cons, never leads to healthy decision-making.

🆁🅶🅱
For not in my bow do I trust, nor can my sword save me.

IGU wrote:These are not simple “oopsie” bugs, they are deliberate actions taken to make things easier for them.
and
If you care to read it you’ll see that they make it very clear that Zoom’s actions are deliberate and deceitful, not simply accidental or bugs.

It appears to be a repeating story for Zoom that they do not treat security and privacy as a primary concern in their product development. Whether they are deliberately deceitful in their implementation of lax security practices I do not have the technical expertise to judge, but when reacting to the July 2019 Mac security incidents they apparently quickly recognized the groundswell of outrage and responded:
“Initially, we did not see the Web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,” Zoom’s Jonathan Farley wrote. “But in hearing the outcry from our users in the past 24 hours, we have decided to make the updates to our service.”

Considering the mountains of goodwill they’ve earned in recent weeks I agree they are in a prime position to grow exponentially. I sincerely hope they react with decisive action and quickly address the concerns being raised now and prioritize security and privacy going forward.

Here’s another article that spells out the current security concerns regarding Zoom in a (mostly) non-technical manner: https://arstechnica.com/tech-policy/2020/03/zooms-privacy-pr…

I will post in this thread as well since it is a hot topic today:

I am not a techie, but I just Googled “Zoom End-to-End Encryption” and received the following:

Enabling End-to-end encrypted chat
Sign in to the Zoom web portal.
Click Account Management > IM Management.
Click the IM Settings tab at the top of the page.
Navigate to the Enable end-to-end chat encryption option and verify that the setting is enabled. If the setting is disabled, click the toggle to enable it.

End-To-End Encryption for Chat – Zoom Help Center

Is this or is this not the right stuff? If you Google other competitors, some appear to have it and some require that the user enable it.

I would welcome an explanation from somebody with a background in this topic,

Harley

I had commented that attacking Zoom over integrity of leadership seemed so bizarre because they were renowned for integrity of their leadership, and especially that of they CEO. Here are the Gardner’s separate comments on the subject.
Saul

David Gardner’s comments about integrity of leadership at Zoom

Why We Trust Leadership
Eric Yuan dreamed up the idea for Zoom as a freshman in college in China, when he was frustrated by the 10-hour train rides he would take each week to visit his then-girlfriend (and current wife). It’s a vision that percolated for well over a decade before he founded the company in 2011, and it has continued to evolve since the launch of the platform.

The technology is great, and it has helped win Zoom customers from older and larger competitors. But what has really built the company is a focus on customer service and satisfaction. In the early days, Yuan would personally correspond with every person who decided to cancel service.

When asked to name five things he wished he’d been told before launching his own company, Yuan’s responses included the following three points:

• Your company’s culture is the No. 1 most important thing to get right. Everything else flows from there.
• If your employees are not happy, nothing else at your company will go well.
• Find the investors who want to invest in you, not only in your business.

That commitment to service and satisfaction is backed by his 11% stake in the company.

Tom Gardner’s comments about integrity of leadership

Zoom’s success also stems in part from the motivational tone Yuan sets. The CEO knows from experience that when workers aren’t happy, it shows up in the way they represent their employer. He saw that toward the end of his tenure at Cisco where he served as an executive after the tech giant acquired his previous company, WebEx.

“Every time I’d talk to a WebEx customer, seriously, I did not see a single happy customer. Every morning I didn’t want to go to the office, because I was embarrassed,” he said. “… What could I do to fix that problem? I created it, right?”

And so he created Zoom, where he encourages all of his workers to find ways to be happy in what they’re doing and to do everything they can to make customers happy in turn. That mentality also shows up in the way Zoom seeks feedback from customers on their experience with the service — especially those who ultimately decide to cancel their accounts.</i

I would welcome an explanation from somebody with a background in this topic

Not a techie but the excerpt seems to refer to encryption settings for chat not video. Would be interesting to elicit a response from IR on the company’s reaction to this uproar / storm in a teacup?

I am sure management has their hands full with dealing with growth, monetization, etc but they will see thatbtheir response to this issue will be equally important for their brand goodwill

At any rate, a 4% drop for a stock that is up over 100% year-to-date, seems to show that the market doesn’t consider this a threat to Zoom’s eventual success.

That’s about the worst possible rationalization I can think of. WorldCom bubbled with rumors and warnings about the telecom bubble for almost two years before the roof fell in. Madoff ran his operation for decades. I was an early investor in @Home, in which I lost a bundle, and AOL in which I made two bundles (selling before the crash) and at many points you could have pointed to either and said “See? The market doesn’t care.”

NOTE: I am NOT saying that Zoom is a scam, that it will crash, or anything else negative about the company, I simply don’t know. I am saying that the market price is a terribly unreliable data point on which to hang an argument about any company. The market favors short term profit over long term health, moral, or any other factor. Other things may come into play over time, but “the market” has no prescience over tomorrow, whether the public will be concerned about privacy, regulators will step in, or anything else.

Zoom seems poised for big things. With big things comes big scrutiny. Facebook has seen how that works as it has grown from baby steps to behemoth. Don’t discount the bad news on the basis of “price”, discount it if you know or intuit something the rest of the world doesn’t know.

End-to-end (E2E) encryption in security industry speak means that no one can read/see/listen to the conversation between parties. The messaging app Signal (and even WhatsApp) do this. Ultimately, it’s all about who has the security key to decrypt.

From reading some analysis and even Zoom’s security white paper, they say they have E2E encryption but appears largely in part to be applied to chat within a meeting. They also say they use E2E for meetings, but the analysis I’ve read suggests that it’s only within Zoom’s own cloud and not down to the end user. So the fuss is about whether Zoom can/does have access to listen in on meetings & any content shared within those meetings…well, if they hold the key and can open the session, then the answer is yes. But are they? and do they have the right controls in place to prevent/audit?

To answer that, one should look at SOC2 and other control audits such as HIPAA HITRUST to measure whether a company is operating its security controls as designed and if that design is sufficient. This is now common place with medium to large enterprises when entering into agreements with providers. There is always some amount of 3rd party risk you inherit when you utilize any 3rd party service…these independent reports are typically the best way to know are they doing what they say they are.

My guess, and that’s all it is, they are largely no different from their peers in this regard except for their meteoric rise. Ultimately this whole thing will come down to did they knowingly mislead people saying they used E2E or was it a mistake. As an aside, I did find that Webex for instance offers E2E, but as you might imagine, there are limitations in user features and experience when enabled.

Sources:
https://theintercept.com/2020/03/31/zoom-meeting-encryption/…
https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
https://help.webex.com/en-us/WBX44739/What-Does-End-to-End-E…

To answer that, one should look at SOC2 and other control audits such as HIPAA HITRUST to measure whether a company is operating its security controls as designed and if that design is sufficient.

From Zoom’s website

Zoom for Healthcare

Video conferencing that keeps you connected and compliant

HIPAA/PIPEDA plans start at $$200 per month per account, which comes with 10 hosts.
Please contact sales for signed BAA for HIPAA compliance and to learn about 1, 2 and 3 year pre-paid packages.

https://zoom.us/healthcare

Free Zoom not HIPAA/PIPEDA compliant.

Denny Schlesinger

More press coverage of security issues over here:

https://techcrunch.com/2020/03/31/zoom-at-your-own-risk/

https://www.theverge.com/2020/4/1/21202584/zoom-security-pri…

TJ

https://9to5mac.com/2020/04/01/new-zoom-bugs-takeover-macs-c…

Still serious security problems as of a few hours ago:

'Unfortunately, Zoom has (for reasons unbeknown to me), a specific “exclusion” that allows malicious code to be injected into its process space, where said code can piggy-back off Zoom’s (mic and camera) access! This give malicious code a way to either record Zoom meetings, or worse, access the mic and camera at arbitrary times (without the user access prompt)!’

Zoom didn’t respond to TechCrunch after a request for comment. With the millions of people using Zoom with the current global health crisis, hopefully, we see a fix real fast!

I do know that our public school system in northern Virginia, which was using Zoom, have decided to move away for Zoom, as a result.

Our daughter’s tiny (private) school still uses Zoom. Probably because they don’t have the resources to switch course (no pun intended) to a different technology, I suspect. Anyhow, I don’t see schools as being long term customers. Once the COVID-19 dies down, I see no reason why they would administer classes over the internet.

I do wonder how important it is for companies to have their data really encrypted (and not Zoom’s definition of encryption). I might be wrong but Webex offers this level of security.

tj
(I’m not a techie, so I’m way out my league, here).
I am long ZM.

Schools have to bow to FERPA.

<<FERPA (Family Educational Rights and Privacy Act of 1974) is federal legislation in the United States that protects the privacy of students’ personally identifiable information (PII). The act applies to all educational institutions that receive federal funds.>>

https://searchsecurity.techtarget.com/definition/FERPA

There is significant liability risk, and schools are risk averse. ANY THING that even touches on a FERPA violation is often shut down, without regard to good/bad, right/wrong, etc. For the school, it’s all about avoiding liability.

ralph

Thanks, Ralph. That explains why my daughter’s private can still use Zoom.

tj

In my post somewhere above in this thread I wrote.

I personally see Eric Yuan as one of the most sincere and great CEOs in the tech world.

Privacy issues can be fixed. And eventually everyone has no other option but to abide by them, think GDPR, CCPA.

ZM should do great and these issues will go away.

Glad to see these blog posts from Eric Yuan and ZM, he sure is one CEO I’ll stick with.

This is what he is saying…

"First, some background: our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.

However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.

These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users."

“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively,”

Addressing the current issue:
https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-u…

Addressing end-to-end encryption:
https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-…

Cheers!
ron

long <AYX, DDOG, OKTA, NET, ZM, CRWD, SQ, ROKU>