Transparent Security Policies Can Bolster Trust
Print Issue: September 2020
When the world moved indoors and online in early 2020 as the coronavirus spread, one common theme emerged: everyone seemed to be hanging out on Zoom.
Zoom meetings, long a staple for many organizations using the enterprise version of the video conferencing product, became the venue for virtual education, happy hours, birthday parties, game nights, family dinners, and first dates.
Usage of the product “ballooned overnight,” from approximately 10 million daily participants in December 2019 to more than 200 million daily meeting participants in March 2020, according to Zoom.
But with that rise in usage also came skepticism that Zoom’s platform was as secure as the company had originally claimed. Initially, the company suggested that Zoom meetings were end-to-end encrypted, but privacy advocates and researchers later said that was inaccurate and criticized Zoom for providing users with a false sense of security.
“As long as you make sure everyone in a Zoom meeting connects using ‘computer audio’ instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app,” according to The Intercept. “But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood.”
Instead, Zoom was offering transport encryption—the same type of encryption used for HTTPS websites, meaning some Zoom meeting data was not private from Zoom itself.
After The Intercept’s story broke on 31 March, criticism poured in across the Internet from teachers who were discouraged from working with the product to U.S. federal government agencies that halted use of the product.
In response, Zoom—which did not return a request for comment on this article—issued a blog post acknowledging that it had “fallen short of the community’s—and our own—privacy and security expectations” and was taking steps to address them.
“These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform,” Zoom CEO Eric S. Yuan wrote. “Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting—about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users.”
The next steps Yuan outlined included offering additional training and tutorials for users, addressing problems to reduce Zoombombing (when uninvited parties break into and disrupt sessions), conducting a review of third-party experts and representative users, preparing a transparency report, launching a CISO council, enhancing its bug bounty program, and conducting white box penetration tests.
In June, Zoom announced that it would make end-to-end encryption an advanced add-on feature for all its users—not just paid subscribers as previously planned.
“Zoom’s decision to offer end-to-end encryption more widely is especially important because the people who cannot afford enterprise subscriptions are often the ones who need strong security and privacy protections the most,” said the Electronic Frontier Foundation (EFF) in a blog post on the decision. “For example, many activists rely on Zoom as an organizing tool, including the Black-led movement against police violence.”
The decisions made by Zoom reflect a broader trend when it comes to the relationship institutions have with the public: the need to balance competence with ethical behavior. The finding comes from the 2020 Edelman Trust Barometer report, published in January 2020 as the latest installment in the firm’s annual evaluation of consumer trust.
The report found that less than half of the overall surveyed population trusted institutions to do what was right, and that most people said institutions only served the interests of the few—not everyone equally or fairly.
“The informed public—wealthier, more educated, and frequent consumers of news—remain far more trusting of every institution than the mass population,” according to the report. “In a majority of markets, less than half of the mass population trust their institutions to do what is right.”
Edelman also found that a growing percentage of customers are “belief-driven buyers,” or those who believe brands are agents for change—and by spending money with that brand, the individual is making a decision to approve what that brand stands for.
“Trust is undeniably linked to doing what is right,” according to Edelman. “After tracking 40 global companies over the past year through our Edelman Trust Management framework, we’ve learned that ethical drivers such as integrity, dependability, and purpose drive 76 percent of the trust capital of business, while competence accounts for only 24 percent.”
When it comes to cybersecurity and protecting consumer’s data, there is a “tenuous balance between trust, security, and privacy,” says Linda Walsh, managing director at Deloitte & Touche LLP and cyber risk services data solution leader for Deloitte Risk & Financial Advisory.
“At a granular level, we’re seeing more businesses try to understand that intersection between privacy and identity,” Walsh explains. “What I mean by that is we’ve had that regulatory landscape around [the California Consumer Privacy Act] and [the General Data Protection Regulation] that has a lot of rules and regulations around data. Some companies were a little on their heels for that, and they looked at it as just a regulation. Other companies have embraced it and understand that privacy and trust issues can be a brand differentiator.”
Some of the most prominent examples of this are technology companies, which Walsh notes have been successful at saying privacy is a pillar component of their business and explaining why they can be trusted by consumers.
“I think what we’re going to see as time goes on is people understanding that privacy and trust go hand in hand,” she adds.
This shift is due—in part—to increased awareness among consumers about how their unique data is often the most valuable asset organizations have. Consumers are increasingly looking for more control over their data, and for organizations to be transparent with them about the data they are collecting and using.
Organizations are also realizing that trust must be earned—it cannot be taken as a given—and they need to continuously treat protecting consumers’ privacy as an active component of the overall business.
“You’re an active participant, not a passive participant,” Walsh adds. “This means demonstrating that you’re managing their data—where it goes, how it’s used, and that consumer requests for data are fulfilled—that builds a basis of trust.”
Roey Eliyahu, CEO and cofounder of Salt Security, a firm that specializes in protecting assets from application programming interface (API) attacks, agrees and adds that organizations must be transparent about the security policies and procedures they have in place to protect customer data.
“To create a great trusted brand from a security and privacy perspective, you have to be transparent,” he says. “If you’re not and there’s an issue, consumers will not trust you to fix it.”
One business that’s done a good job of this, Eliyahu says, is Apple, which has been vocal over the past few years about steps it’s taking to ensure customer data remains private—even from the U.S. government.
In 2016, the FBI initiated a legal battle against Apple to require the manufacturer to unlock the iPhone that belonged to the gunman responsible for the San Bernardino, California, shootings that left 14 people dead.
Apple refused to create a method to provide the FBI access to the iPhone; CEO Tim Cook issued a statement at the time that said the “implications of the government’s demands are chilling.”
“The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically,” Cook said. “This would make it easier to unlock an iPhone by ‘brute force,’ trying thousands or millions of combinations with the speed of a modern computer.”
The decision was widely viewed as a win for Apple, and it increased trust in the brand and its security and privacy policies. Consumers and customers are increasingly making similar demands from other businesses, Eliyahu says.
For instance, Salt Security has put together a complete security overview document that details all aspects of the firm’s security—who has physical access to its facilities, how customer data is stored, and the measures taken to protect that data.
“When you have it all organized, that’s how they know you’re being strategic about your own security,” Eliyahu says.
That posture reflects Edelman’s findings about what institutions—especially businesses—can do to foster trust with customers. For instance, 73 percent of those surveyed said companies can take actions that both increase profits and improve conditions in the communities where they operate.
CEOs and executives can also speak out on the major issues of the day—such as automation, the ethical use of technology, diversity, and climate change—to show how their organizations are leading change, instead of waiting for regulators to impose it, according to Edelman.
“Business must take the lead on solving the trust paradox because it has the greatest freedom to act,” Edelman explained.