The United States’ consumer watchdog, The Federal Trade Commission (FTC), has finalised a settlement with Zoom Video Communications over allegations it misled consumers about the level of security in Zoom meetings and compromised the security of some Mac users.
The FTC’s final order, issued on Monday, requires the video conferencing company to implement a comprehensive security programme, review any software updates for security flaws before release and ensure the updates will not hamper third-party security features.
The company must also obtain biennial assessments of its security programme by an independent third party, which the FTC has authority to approve, and notify the commission if it experiences a data breach.
In the proposed settlement announced in November, the FTC alleged Zoom had been claiming to offer end-to-end encryption on its video conferencing service when it did not. In reality, “Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings,” the FTC said.
The commission also alleged some recordings sat unencrypted in Zoom’s servers for up to 60 days before being secured in the company’s cloud storage: they were not instantly end-to-end encrypted as the company claimed.
The FTC also said Zoom placed Mac users at risk of remote video surveillance by strangers by secretly installing its ZoomOpener software on Mac desktops, bypassing an Apple Safari browser safeguard which protected users from a common type of malware.
Apple has since removed the ZoomOpener web server from Mac desktops through an automatic software update.
At the time of the proposed settlement a Zoom spokeswoman was quoted as saying that the company had “already addressed the issues identified by the FTC.”