ARTICLES, SECURITY

Move fast & break things (including privacy)

The following is a journal article that I wrote for UGBA 107: The Social, Political, and Ethical Environment of Business. The opinions below were written in an academic context and may or may not reflect my actual opinions on the subject matter.

In the midst of the COVID-19 pandemic, a small technology firm has seen an explosion in users: Zoom Video Communications. Zoom’s exponential growth combined with an expansion into consumer and education markets has resulted in the discovery of a wide variety of security vulnerabilities. Zoom’s historic rise and subsequent security implosion highlights the importance of building security & privacy into products from day zero; sacrificing these principles in favor of rapid growth is unethical and a clear violation of corporate-social responsibility.

Zoom’s vulnerabilities are the result of a wide range of software development malpractices. From storing recordings in unprotected cloud storage systems to enabling anyone to infiltrate unprotected private meetings through “Zoombombing,” Zoom’s blatant disregard of user privacy is the pinnacle of the “Move Fast and Break Things” mentality pioneered by Facebook (source). This approach – which prioritizes user growth over product stability and security –may result in a quicker launch strategy, but circumvents any preemptive analysis of the broad effects that technology products can have. As a result, both large corporations and startups launch products to the public that could potentially have significant security vulnerabilities and privacy flaws in a profit-driven quest for rapid growth.

The response from Zoom’s CEO further contributes to the nonchalant conduct of tech regarding privacy: “If not for this crisis, I think we would have never thought about this.” It shouldn’t take a global pandemic to realize the need for building in strong privacy-compliant software, and neither should it take 200 million users; privacy is something that all tech executives and employees should maintain as a fundamental principle of Corporate Social Responsibility. To support this, all corporations should mandate that employees pass a federal privacy & security certification before being allowed to work in any capacity as a software developer.