Abstract
In spring 2020, not only did the teleconferencing platform Zoom experience an onslaught of new users who were now social distancing due to the COVID-19 crisis, but it also faced its own crisis due to the privacy of its product. For those working in technical and professional communication, the Zoom example illustrates not only a way to communicate in an emergency but also a way that privacy can cause a crisis in the first place. Drawing from literature on crisis communication and the experiences users described in the Zoom CEO’s blog post, the author concludes that while Zoom did indeed have technical issues that contributed to its privacy crisis, users also experienced its technology in unexpected ways, and the company underestimated the privacy expectations of its new users. Zoom’s privacy crisis ultimately provides a useful discussion of why it is increasingly important for companies to incorporate privacy by design and to be frank about their privacy practices with a public who has a growing interest in, and dissatisfaction with, corporate privacy practices.
In early April 2020, students in the Netherlands were remotely meeting with their class on the videoconferencing software Zoom, taking social distancing measures due to COVID-19, when they were unexpectedly subjected to “pornographic and racist images” (Mühlberg, 2020). This practice of hijacking a videoconference to insert offensive content has become so global, from children’s storytelling to church services, that it has been dubbed “Zoombombing” (Read, 2020). This was not Zoom’s only privacy issue though, and Zoom faced other criticisms for their software, such as those concerning encryption and data-gathering issues (Wagenseil, 2020). In response to criticism of Zoom’s technology, Zoom and its CEO, Eric S. Yuan, utilized an important platform for CEO communication, the corporate blog (Ngai & Singh, 2014), releasing a series of messages to address the company’s privacy and security controls. But what appears to drive Zoom’s privacy crisis was not always a failure of technology. The crisis was also driven by a failure of user assessment. By providing a content summary of Zoom’s “A Message to Our Users,” published on its blog on April 1 (Yuan, 2020), I demonstrate that while Zoom does indeed have technical issues that contribute to its privacy crisis, another important catalyst of Zoom’s crisis was its failure to understand customer expectations. This article, then, provides a useful contribution to discussions of the privacy crisis, a crisis that can only increase as more activities are carried out online in a post-COVID-19 environment.
The Privacy Crisis and User Experience
Zoom’s issues fall under a larger genre of crisis—the privacy crisis. For an organization, a crisis is an incident or event that represents “a threat to the organization’s reputation and viability” (Pearson & Mitroff, 1993, p. 49) and can range from something grave to a matter of maligned public perception (Choi & Chung, 2013). And according to Rule (2012), privacy has been defined in terms of values and claims to personal autonomy or the desire for protection from disclosure. Put together, the privacy crisis, then, involves, at minimum, a threat that revolves around both the values and the legalities of controlling individuals’ visibilities or information. A privacy crisis can be caused by a variety of things, such as when cell phone numbers and addresses are leaked during a natural disaster (Wu et al., 2011), personal information is leaked during corporate data breaches (Veltsos, 2012), or, in the case of Zoombombing, a technology fails to live up to privacy expectations by allowing internet trolls to bombard toddlers with pornography and racism during story hour.
Privacy lapses can affect user experience because privacy is one aspect that users assume will be part of technologies. A satisfying user experience, then, can depend on whether users believe their privacy is protected. While what is a “reasonable” expectation of privacy has been debated (McArthur, 2001), users tend to expect at least some measure of privacy when they are online (Yao et al., 2007). Developers are thus encouraged to think about what users expect from products and either meet those expectations or transparently communicate potential concerns (Senarath & Arachchilage, 2018).
“A Message to Our Users”
Zoom illustrates what appears to be a privacy crisis due to its inability to determine user expectations. The disconnect between user privacy expectations and what Zoom delivered is best seen through a content summary of Yuan’s April 1, 2020, “A Message to Our Users,” in which he addressed at least 17 privacy matters the company was dealing with (Yuan, 2020). I will briefly summarize the three basic sections of this message. In the first, untitled section, Yuan explained how he and Zoom appreciated being able to facilitate connectivity during the current health crisis. acknowledged that users grew from 10 to approximately 200 million, with the target audience no longer enterprises but instead a whole range of private users. commented that Zoom “did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.” admitted shortcomings by saying that “we recognize that we have fallen short of the community’s—and our own—privacy and security expectations.” apologized for the past and foreshadowed a response plan for the future.
In the second section of the blog, “What We’ve Done,” Yuan outlined Zoom’s response to the privacy crisis by naming current privacy issues (like Zoombombing). listing specific dates when the company had already addressed privacy concerns. focusing on updated privacy policies and controls for education users and explaining more technical issues that involved the collection of data.
Finally, in the third section, “What We’re Going to Do,” Yuan outlined outstanding privacy and security issues. unveiled a 90-day plan stressing transparency and collaboration. concluded with this call to Zoom users: “Together, let’s build something that can truly make the world a better place!”
A main takeaway from this message emerges in the first, untitled section, consisting of seven paragraphs in which Yuan detailed how Zoom failed to understand its users. In doing so, Yuan implied that if Zoom had understood the potential uses of its product or imagined how the company would grow, it could have preemptively addressed many privacy concerns before they affected a mass number of individuals.
This failure to preemptively address privacy concerns is especially illustrated by the case of Zoombombing. Privacy controls such as passwords and waiting rooms as well as screen-sharing controls existed in the software, but they were not set by default. Instead, Zoom focused on appealing to users’ desire to easily join a conference rather than on the privacy controls that would make it harder for them to join (Peters, 2020). The company seemed to assume that Zoom users wanted convenience over privacy, but the backlash against Zoombombing proved otherwise. Users wanted privacy, and some rejected Zoom because of its perceived vulnerabilities. Looking at unintended uses, then, should be a basic function of user experience (UX) research, as Lauer and Brumberger (2016) explained: Ideally, UX also strives to accommodate how users appropriate information products and content in unanticipated ways and for their own purposes as well as how those products position users to act in the world by the way they are designed and the options they allow for. (p. 248)
While privacy satisfaction is not as commonly discussed as other measures that aid in better user experience, such as a low error rate, it is increasingly important to consider. If there is a mismatch between technological function and technological expectations, like there was with Zoom, users might have a negative experience and turn away from the product in general. As Zoom found out when their product was shunned by a variety of audiences (Hellard, 2020), expectations for a more autonomous control of information are rising higher on the list of what users might consider fundamental technological needs.
Conclusions for Post-COVID-Privacy Crises
Overall, while brief, this discussion of Zoom’s privacy crisis provides a good entry point into the conversation on contemporary privacy crises and the importance of considering user expectations. In the future, this discussion can help make the “privacy-as-crisis” more visible, which is especially critical in a post-COVID-19 world where people’s everyday activities are increasingly occurring online. Further, the creeping digital surveillance of medical information and the many other ways of digitally staying connected while socially distancing make it more and more important to think about both privacy by design (Langheinrich, 2001) and the privacy ideologies technological affordances grow out of this ever-more online and surveillance-aware world.
Footnotes
Declaration of Conflicting Interests
The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This project has received funding from the European Union’s Horizon, 2020 research and innovation programme under the Marie Sklodowska Curie grant agreement No 707404.