The Federal Trade Commission (FTC) has announced a settlement with Zoom, after the company “misled users by touting that it offered ‘end-to-end, 256-bit encryption’ and remote video surveillance.”
The agreement will require Zoom to implement a “robust information security programme” to settle allegations that it engaged in a “series of deceptive and unfair practices that undermined the security of its users,” the FTC’s said.
The FTC’s complaint stated that since 2016, Zoom had been claiming to offer end-to-end encryption on its video conferencing service when it did not. In reality, “Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings,” the FTC added.
Additionally, the FTC’s complaint addressed Zoom’s misleading of users by falsely claiming that recorded meetings stored in the cloud would be instantly end-to-end encrypted. However, the FTC alleges that some recordings sat unencrypted in Zoom’s servers for up to 60 days before being secured in the company’s cloud storage.
The FTC also said that in 2018, Zoom had put users at risk of remote video surveillance by strangers by secretly installing its software, ZoomOpener on Mac desktops. The FTC says, “The web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware.”
The FTC said Zoom did not offer any additional safeguards against video surveillance and said Zoom’s actions were “unfair and violated the FTC Act.”
Apple since removed the ZoomOpener web server from Mac desktops through an automatic software update.
As part of the FTC’s proposed comprehensive information security programme, Zoom has agreed to implement the following measures:
- assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks
- implement a vulnerability management programme
- deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network, institute data deletion controls
- take steps to prevent the use of known compromised user credentials
“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the Bureau of Consumer Protection at the FTC.
“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” he added.
A Zoom spokesperson Colleen Rodriguez said Zoom had “already addressed the issues identified by the FTC,” according to Tech Crunch.