FTC orders Zoom to enhance security practices

Zoom Video Communications, the maker of the popular Zoom video conferencing solution, has agreed to settle allegations made by the US Federal Trade Commission (FTC) that it “engaged in a series of deceptive and unfair practices that undermined the security of its users.”

The settlement requires Zoom to – among other things – establish and implement a comprehensive security program and to not engage in further privacy and security misrepresentations.

The conditions put forth by the settlement

The FTC complaint said that:

• Since at least 2016, the company misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security, i.e., it encrypted communications but stored the encryption keys on its servers
• The company misled users by saying that recorded meetings that were stored on the company’s cloud storage were encrypted immediately after the meeting ended, which was untrue in some cases
• In July 2018, the company compromised the security of some users when it secretly installed a hidden web server on Macs that helped with frictionless installation of the Zoom application

The settlement does not oblige Zoom to admit fault or pay a fine, but obligates it to:

• Refrain from misrepresenting privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information
• Implement a comprehensive information security program and obtain biennial assessments of its security program by an independent third party and notify the FTC if it experiences a data breach
• Implement a vulnerability management program
• Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks
• Deploy safeguards such as MFA to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials
• Review any software updates for security flaws and ensure the updates will not hamper third-party security features

Two of the FTC commissioners disagreed with the settlement

FTC commissioner Rohit Chopra pointed out that it provides no help for affected users, does nothing for small businesses that relied on Zoom’s data protection claims, and does not require Zoom to pay a fine. Also, that Zoom’s misrepresentation of its security practices allowed it to steal users from competing players in the video conferencing market, and to “cash in” on the pandemic.

“Zoom stands ready to emerge as a tech titan. But we should all be questioning whether Zoom and other tech titans expanded their empires through deception,” he added.

FTC Commissioner Rebecca Kelly Slaughter also stressed that many Zoom customers were left stranded.

“Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false. This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case,” she said.

She also noted that Zoom should have been ordered regularly “engage in a review of the risks to consumer privacy presented by its products and services, to implement procedures to routinely review such risks, and to build in privacy-risk mitigation before implementing any new or modified product, service, or practice. ”

It remains to be seen if Zoom will fulfill and continue to fulfill the conditions of the settlement. Each violation of an FTC order may result in a civil penalty of up to $43,280, which is a negligible sum for a company that’s worth $35 billions.

UPDATE (November 10, 2020, 4:10 a.m. PT):

“The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs,” a Zoom spokesperson told Help Net Security.

“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”