US FTC reaches settlement with Zoom over poor security practices
The US Federal Trade Commission (FTC) has announced a settlement with video conferencing platform Zoom, after it alleged that Zoom misled users by touting that it offered “end-to-end, 256-bit encryption” to secure communications while it only provided a lower level of security.
The FTC alleged that the company deceived users about the level of security for Zoom meeting platform and unfairly undermined a browser security feature
The settlement would require Zoom to implement a robust information security programme to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.
“During the pandemic, practically everyone — families, schools, social groups, businesses — is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.
“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” he said in a statement late on Monday.
Zoom’s user base skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the Covid-19 pandemic.
In reality, the FTC alleged, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.
Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information.
In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services.
According to the FTC’s complaint, Zoom also misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended.
Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.
The FTC also alleged that the company compromised the security of some users when it secretly installed software, called a ZoomOpener web server, as part of a manual update for its Mac desktop application in July 2018.
The ZoomOpener web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware.
Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app.
The complaint alleged that Zoom did not implement any offsetting measures to protect users’ security, and increased users’ risk of remote video surveillance by strangers.
“The software remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app — without any user action — in certain circumstances,” the FTC said.
Apple removed the ZoomOpener web server from users’ computers through an automatic update in July 2019.
A Zoom spokesperson told The Verge that the security of its users is a top priority.
“Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience,” the spokesperson said in a statement.