FTC settles with Zoom over ‘deceptive and unfair’ security practices

10 Nov 2020

Image: © ink drop/Stock.adobe.com

The FTC in the US alleged that Zoom had deceived customers by claiming its platform was end-to-end encrypted.

Zoom has agreed to overhaul its security practices after settling with the US Federal Trade Commission (FTC) over allegations that the company had lied about its video-conferencing platform being end-to-end encrypted (E2EE).

A release issued by the FTC said the allegations brought against Zoom were related to “a series of deceptive and unfair practices that undermined the security of its users”. The FTC in its filing pointed to claims made by Zoom dating back to 2016 that the platform then offered “end-to-end, 256-bit encryption”, despite actually offering a less secure type of encryption.

Reports earlier this year revealed that Zoom did not facilitate E2EE, despite previously stating that it did. At the time, the company said the issue was a matter of defining what E2EE actually means. However, Zoom recently announced that E2EE would be coming to all users.

Claims made by FTC

The FTC said that Zoom previously maintained the cryptographic keys that could allow it to access the content of its customers’ meetings and supposedly secure Zoom meetings.

Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information.

“During the pandemic, practically everyone – families, schools, social groups, businesses – is using video conferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.

“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

The FTC also alleged that Zoom compromised the security of some users when it secretly installed software, called a ZoomOpener web server, as part of a manual update for its Mac desktop application in July 2018.

Furthermore, the US agency alleged Zoom misled users into thinking stored recordings of meetings were encrypted immediately after they ended. Instead, it said that some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.

‘No help for affected users’

Among the terms of the proposed settlement, Zoom must obtain biennial assessments of its security programme by an independent third party, which the FTC has authority to approve, and notify the commission if Zoom experiences a data breach.

In a statement, Zoom said that security of its users was a “top priority” and that the company had already addressed the issues identified by the FTC.

Rohit Chopra, one of the FTC commissioners to disagree with the settlement, said it followed a “unfortunate FTC formula”.

“The settlement provides no help for affected users,” he said. “It does nothing for small businesses that relied on Zoom’s data protection claims. And it does not require Zoom to pay a dime. The commission must change course.”

It comes as a leaked memo from the Council of the European Union has reignited concerns from privacy activists that the EU may move towards banning E2EE or introducing a backdoor.

Colm Gorey was a senior journalist with Silicon Republic