Zoom Zoom’s Commitment to Security and Privacy ‘April 20, 2020 In the past several weeks, Zoom has seen unprecedented user growth as a result of the significant impacts of COVID-19. A key metric of this growth was the rapid increase in the amount of daily Zoom meeting participants, from approximately 10 million in December to more than 200 million in March. The large increase in the number of individuals and, particularly, consumers and students (as opposed to Zoom’s historical enterprise clients) has understandably brought heightened levels of public attention and scrutiny. Over the past few weeks, a number of important issues were raised as a result of this public attention — and Zoom could not be more appreciative of the opportunities it has had to address those issues and drify its policies and commitments to users, both old and new. In the materials that follow, | discuss some of the issues that were raised and explain how Zoom definitively addressed them with swift and accurate execution. Importantly, a large number of global institutions — ranging from the world's largest financial services companies, to leading telecommunications providers, government agencies, universities and others have done exhaustive security reviews of our user, network and datacenter layers and continue to confidently choose Zoom. We are proud of the role Zoom is playing to help businesses, schools, and others across the world stay connected and operational during this challenging time, and we are committed to providing users with the tools they need on a safe and secure platform. 1. Items Already Addressed and Resolved ‘The security of Zoom’s users and their data is of the utmost importance. We appreciate the assistance ‘we have received in identifying the following issues, all of which we worked to quickly resolve: “Login with Facebook” Issue Zoom originally implemented the “Login with Facebook” feature using the Facebook SDK in order to provide users with an easy way to access the Zoom platform. In late March, Motherboard alerted Zoom that the Facebook SDK was unnecessarily collecting user device information. Zoom quickly addressed this issue by permanently removing the Facebook SDK. Importantly, the information collected by the Facebook SDK did not include information related to meetings (e.g,, names, notes, attendees, etc.) —it was solely information about devices. Linkedin Sales Navigator Issue ‘The New York Times reported Zoom’s use of Linkedin Sales Navigator allowed meeting participants to have access to Linkedin profile data about other users. Zoom took immediate action and permanently removed the Linkedin Sales Navigator application from its environment after identifying that it was making unnecessary data disclosures by the feature. 1 Zoom Video Communications, Inc. 55 Almaden Blvd, Suite 600, San Jose, CA 95113 zoom us | 1.888.799.9666Zoom End-to-End Encryption The Intercept reported that Zoom is not “end-to-end” encrypted as described in the company’s marketing materials, Please refer to the detailed blog post Zoom published on this topic, which clarifies Zoom’s prior use of the “end-to-end” terminology, and walks through the detailed facts of how exactly Zoom encrypts the content that moves across its network. The goal of Zoom’s encryption design is to maximize privacy while supporting the diverse needs of our client base. In pursuit of that goal, Zoom is ‘working on a variety of enhancements to its existing encryption programs. Keep an eye out for some exciting updates in the coming weeks. The ci fen Lab Research — Data Routing Researchers from The Citizen Lab at University of Toronto published a report stating that some Zoom calls made in North America were routed through servers in China, against Zoom’s policy. As Zoom explained in a detailed blog post, this was a temporary issue related to our usual China-related geo-fencing practices, and it has been fixed. Additionally, Zoom has recently announced further changes, pursuant to which paid Zoom customers are now able to customize which data center regions their account can use for its real-time meeting traffic. Please see here for more detail - https://blog.200m.us/wordpress/2020/04/13/coming- april 18-control-your-2oom-data-routing/. UNC and Patrick Wardle (Ma 1S) Vulnerabilities, Zoom addressed these issues quickly and released fixes that resolved the issues within 24 hours. For each of these vulnerabilities, security experts publicly praised Zoom for the gravity and speed of Zoom's responseto the issues. None of the vulnerabilities poses a threat any longer. Il Clarifications Regarding Zoom Policies and Product Features Zoom was built primarily for enterprise customers, and the influx of consumer and student users has brought heightened scrutiny — and some confusion - around some of Zoom’s policies and enterprise oriented features. Zoom has been proactively educating new users around these issues, and already implemented a number of feature updates to help new users more easily understand and manage their use of the platform. Privacy Policy Update ‘As many new users have come to utilize the Zoom platform over recent weeks, Zoom quickly found the enterprise-geared language contained in Zoom’s privacy policy needed to be revisited to address and elucidate the consumer or student context. Zoom responded by quickly amending the language in the privacy policy to clarify its practices here. Importantly, these changes did not constitute material changes to any of Zoom’s underlying privacy practices. We made clear the following items remain true as part of our privacy policy: 2 Zoom Video Communications, Inc. 55 Almaden Blvd, Suite 600, San Jose, CA 95113 zoom us | 1.888.799.9666Zoom © We do not sell your personal data. Whether you are a business or a school or an individual user, ‘we do not sell your data. © Your meetings are yours. We do not monitor them or even store them after your meeting is done unless we are requested to record and store them by the meeting host. We alert participants via both audio and video when they join meetings if the host is recording a meeting, and participants have the option to leave the meeting. © Zoom collects only the user data that is required to provide you Zoom services. This includes technical and operational support and service improvement. For example, we collect information such as a user's IP address and OS and device details to deliver the best possible Zoom experience to you regardless of how and from where you join. Recordings Found on the Open Web ‘The Washington Post reported on instances of Zoom recordings found searchable and viewable on the open web, including recordings containing sensitive content like therapy sessions, nudity, etc. We appreciate the Washington Post's efforts to raise awareness around this issue, which arises when a host (under his or her own volition) elects to save or upload their meeting recording(s) outside of Zoom and make it accessible to the public (e.g. YouTube, Vimeo, an open cloud, etc) The ability to record and store meetings is common across Zoom's enterprise conferencing peers. Zoom meetings are only recorded at the election of the host, and participants are always notified and have the choice to opt-out and leave the meeting, if the host does choose to record, Zoom provides two options for storing the recording either locally on the host’s machine or in the Zoom cloud — both of which are safe and secure methods for storing recordings. Should hosts choose to save or upload anywhere other than Zoom or their local device, or link to their loud recording pages publicly, we urge them to use extreme caution and betransparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants’ reasonable expectations. Zoom has created various materials (eg, video tutorials, webinars, blog posts, best practices guides) aimed at communicating best practices related to security and privacy settings and is happy to provide such materials to you. Meeting Disruptions, (so-called “Zoombombing”) It came to the attention of Zoom that unauthorized third parties were joining and disrupting Zoom meetings for inappropriate use (eg,, screensharing of explicit material). We have heard reports of this happening on other platforms as well Disrupting a meeting in this way is an abhorrent and reprehensible abuse of the Zoom platform by nefarious online actors and is wholly antithetical to Zoom’s mission of delivering happiness to its users Zoom strongly and unequivocally condemns this behavior and is appalled by its occurrence. When the Zoom platform was being used by primarily enterprise companies, such abuses simply did not occur. With this new userbase, however, Zoom realized swift and effective changes were necessary. ‘Accordingly, in addition to proactively educating users on how to prevent this from happening (via blog 3 Zoom Video Communications, Inc. 55 Almaden Blvd, Suite 600, San Jose, CA 95113 zoom us | 1.888.799.9666Zoom posts, guides, video tutorials and other materials), Zoom also made several updates to help users more easily protect their meetings and decrease the risk of uninvited guests and will be releasing more enhancements in the coming weeks. For all users, we have made the Zoom Meeting ID less visible to help prevent unintended sharing, and we have added a new Security icon to the Zoom meeting controls for all hosts to help them quickly access in-meeting security features, including the ability to remove participants and lock meetings, among other actions. Zoom also enabled passwords and virtual waiting rooms by default for Free Basic and Single Pro Zoom users. For education users in particular, Zoom has also reconfigured the default settings for users enrolled in the primary/secondary (K-12) free account program to enable virtual waiting rooms by default (ie, the teacher has to grant each user access to enter the meeting room), and to ensure that the host-teachers were the only ones able to share content in the virtual classroom (a standard setting historically only available with higher-tiered paid Zoom accounts) Lastly, Zoom has deployed technical and legal resources to respond to reports of websites, blogs, videos etc,, where meeting links, meeting IDs, and/or passwords were being posted or shared in order to facilitate meeting disruption, including having those websites shut down or having the offensive content removed. Zoom is also actively encouraging users, witnesses and victims to report these incidents to Zoom directly (in addition to law enforcement) so Zoom can remove the offensive users from the platform entirely. I, Ongoing Efforts and Commitments In addition to quickly addressing the issues listed above, Zoom has publicly committed to a number of go-forward steps to further strengthen the privacy and security of its customers and their users. My message to Zoom's Users on April 1, 2020 (and updated April 2, 2020) summarized what Zoom has done and what it plans to do to fully reaffirm its deep commitment to security and privacy. Among other actions, we are: ‘© Engaging a series of simultaneous white box penetration tests to further identify and address issues. © Enhancing our current bug bounty program. © Launching a C1SO council in partnership with leading C1SOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices. © Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security ofall of our new consumer use cases. © Enacting a feature freeze, effectively immediately, and shifting all our focus on trust, safety, and privacy. eering resources to We are providing regular updates on these efforts through Zoom’s blog, and I encourage you to also attend our weekly Wednesday webinars to track our progress. You can also read more on our dedicated privacy and security page. 4 Zoom Video Communications, Inc. 55 Almaden Blvd, Suite 600, San Jose, CA 95113, zoom.us | 1.888.799.9666Zoom Zoom aspires to be a trusted partner in all of the users and communities it serves. We welcome these discussions around privacy and security andthe opportunity to help stakeholders better understand the platform and its features. It is in that spirit that we are actively engaging with users, industry partners, press, elected officials and others in ongoing dialogue. We genuinely hope the assurances provided in this letter show the seriousness with which we are approaching these issues related to data security and privacy and welcome your involvement in helping us build something here at Zoom that not only meets your expectations, but exceeds them entirely. ‘Wishing you and yours good health and safety as we navigate this extraordinary time. Cae Eric Yur CEO & Founder Zoom Video Communications 5 Zoom Video Communications, Inc. 55 Almaden Blvd, Suite 600, San Jose, CA 95113 zoom.us | 1.888.799.9666