Popular video conferencing software Zoom got caught installing an insecure web server on Mac users’ computer that let any website remotely execute software on the users’ Macs. This web server was designed to intentionally circumvent web browsers’ security sandbox for what Zoom product managers presumably thought would be an increase in meeting start-rate conversion.

If this wasn’t bad enough, this insecure web server - a backdoor into users’ computer - kept running both when users exited Zoom and when they uninstalled Zoom’s software.

Your software is a guest

There’s a lesson here for product managers and software engineers. Your software is a guest running on a real human being’s computer. It should behave like a guest.

If a user says they don't want your software running anymore, it should stop running. This means when a user exits your app, it should stop running - all of it, unless you’ve clearly asked for their permission to have something keep running.

quitting-arq

If the user uninstalls your app, all of your code should be removed from their computer. Even your backdoor web server.

Don’t be a creepy house guest

In Zoom’s case, the user said "I don't want Zoom's software running on my computer” TWICE: when they exited the software and again when they explicitly uninstalled it. Both times Zoom ignored the user's instructions and left a backdoor running without their permission.

This is like being invited to a house party, installing video cameras in the host’s bathroom and leaving them there when the host kicks you out for being a creep.

Software that doesn’t do what the user intends, installs a backdoor and doesn’t leave when asked is a virus.

While we all want viral growth, writing a virus isn’t the way to get it.