The US Federal Trade Commission this week gave final approval to a settlement with Zoom Video Communications over allegations it misled consumers about the level of security provided during videoconferencing sessions and compromised the security of some macOS users.
The FTC’s settlement with Zoom dates back to November 2020, when the commission alleged the company had deceived users about security for its meeting platform and unfairly undermined a browser security feature for Apple device users, among other things.
Alleged negligence and deception towards end users
One major allegation brought forth by the FTC is that, since at least 2016, Zoom misled users by claiming it offered ‘end-to-end, 256-bit encryption’ when in fact it provided a lower level of security. The FTC alleges that, in reality, Zoom maintained the cryptographic keys that could allow it to access the content of its customers’ meetings. Zoom also allegedly secured its virtual meetings with a lower level of encryption than promised, at least in part, according to the original complaint.
Other allegations include:
- Zoom misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming those meetings were encrypted immediately after they ended
- The company compromised the security of some users when it secretly installed a ‘ZoomOpener’ component as part of a manual update for its Mac desktop application in July 2018; Zoom did not implement any offsetting measures to protect users’ security, and increased users’ risk of remote video surveillance by strangers, the FTC claimed
- Zoom’s release notes for the July 2018 update were allegedly deceptive because they did not adequately disclose that the app update would install the ZoomOpener web server on users’ computers, that it would circumvent a Safari browser safeguard, or that it would remain on users’ computers even after they deleted the Zoom app
Prohibited from making false claims about security & privacy
Zoom has agreed to establish and implement a comprehensive security program, to implement a prohibition on privacy and security misrepresentations, and to other detailed and specific relief to protect its user base, according to the FTC.
In addition to requiring Zoom to carry out a comprehensive security program, this week’s final order prompts the company to review any software updates for security flaws prior to release and ensure the updates will not hamper third-party security features.
The videoconferencing giant must also obtain biennial assessments of its security program by an independent third party and notify the commission of any data breach.
290 million new users in four months
Due to the COVID-19 pandemic, Zoom’s install base has ballooned from 10 million in December 2019 to 300 million in April 2020.
“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said in November.
“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” Smith said.
Additional relief over rogue employee allegations
After receiving 12 comments on the proposed settlement, the commission voted 3-2 in January to finalize the settlement and to send responses to the commenters. Commissioner Christine S. Wilson, in particular, mentions a recent development which, in Wilson’s opinion, requires additional relief for affected parties.
“My dissenting colleagues note that the recent revelations regarding a rogue Zoom employee in China, who accessed accounts and meetings of U.S.-based consumers, underscore the need for additional relief in this matter,” Wilson wrote.
“I have stated in testimony and speeches my view that privacy and data security are two sides of the same coin, and have urged Congress to pass both comprehensive privacy and data security legislation … I believe that such relief also is appropriate in de novo cases and am willing to support orders that integrate privacy and data security provisions in future matters,” the commissioner added.