Earlier this week, the Federal Trade Commission (FTC) announced a settlement with Zoom that will require the company to enhance its data security practices to address allegations that the videoconferencing provider engaged in a series of deceptive and unfair practices that duped users into a false sense of security. Zoom, which has become a household name this year – with the FTC reporting a surge in users from 10 million in December 2019 to 300 million in April 2020 during the pandemic – has agreed to implement a comprehensive information security program and to stop making misrepresentations about its privacy and data security practices.
In its complaint, the FTC asserts that, since at least 2016, Zoom misled users by advertising “end-to-end, 256-bit-encryption,” which, in theory, would secure communications so that only the sender and recipient(s), and no other person– not even the platform provider– can access the content. In reality, Zoom’s practices fell far short, with the platform maintaining cryptographic keys to access user content, storing unencrypted recordings for up to 60 days, and offering a lower level of encryption than promised. Subpar security controls also allowed for unwanted intrusions, or “Zoombombing.” The complaint further alleges that Zoom engaged in deceptive and misleading practices with regard to its secretly installed software, called a ZoomOpener web server, which allowed the program to bypass computer security safeguards and would remain on users’ computers even after the Zoom app had been deleted. The Commission found that such deployment of the ZoomOpener, without adequate notice or user consent, was unfair and violated the FTC Act.
Under the settlement agreement, Zoom is required to annually assess and document any potential security risks and develop ways to protect against these vulnerabilities; to refrain from making misrepresentations about how it collects and uses personal information or the level of security offered to users; and to obtain biennial assessments of its security program by an independent third party for the next 20 years.
The Commission voted 3-2 on the proposed consent agreement with Zoom, with the two dissenters arguing that the agreement amounted to nothing more than a slap on the wrist for the telecommunications tycoon, whereas the security failures warranted serious action. They also noted that the proposed settlement agreement provided no remedy for affected users and no other meaningful accountability.
The FTC will soon publish a description of the consent agreement in the Federal Register, subject to public comment for 30 days. The FTC will then decide whether to make the proposed consent order final. Each violation of such an order may result in a civil penalty of upwards of $40,000.