FTC alleged Zoom deceived users about the level of security for Zoom meetings and unfairly undermined a browser security feature
Daily life has changed a lot since the pandemic started. Because face-to-face interactions aren’t possible for so many of us, we’ve turned to videoconference for work meetings, school, catching up with our friends, even seeing the doctor. When we rely on technology in these new ways, we share a lot of sensitive personal information. We may not think about it, but companies know they have an obligation to protect that information.
The Complaint Against Zoom
The complaint against Zoom has two very important parts to it. It involves the level of encryption that was being offered, vs what was being claimed and it also involves software that they loaded on Mac user’s computers, without telling the user, that compromised the user’s security.
The Encryption Part
In its complaint, the FTC alleged that, since at least 2016, Zoom misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security. End-to-end encryption is a method of securing communications so that only the sender and recipient(s)—and no other person, not even the platform provider—can read the content.
In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised. Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information. In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services.
According to the FTC’s complaint, Zoom also misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.
The Mac Software Install Part
The FTC also alleged that the company compromised the security of some users when it secretly installed software, called a ZoomOpener web server, as part of a manual update for its Mac desktop application in July 2018. The ZoomOpener web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware. Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app.
The complaint alleges that Zoom did not implement any offsetting measures to protect users’ security, and increased users’ risk of remote video surveillance by strangers. The software remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app—without any user action—in certain circumstances. The complaint alleges that Zoom’s deployment of the ZoomOpener, without adequate notice or user consent, was unfair and violated the FTC Act. Apple removed the ZoomOpener web server from users’ computers through an automatic update in July 2019.
The Settlement Of The Complaint
The Federal Trade Commission settlement with Zoom Video Communications, Inc. will require the company to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.
Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.
Andrew Smith, Director of the FTC’s Bureau of Consumer Protection comments about the complaint and settlement with Zoom explains it best.
“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever. Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”