Zoom settles charges with FTC over deceptive security practices

Written by

Zoom reached a deal with the Federal Trade Commission to settle allegations it misrepresented its security and privacy protections for users, the FTC announced Monday.

In its action against Zoom, the FTC alleged Zoom “engaged in a series of deceptive and unfair practices that undermined the security of its users.” The FTC alleged that Zoom misled users when it claimed it offered end-to-end encryption — intended to protect user communications from external, unintended eavesdroppers — when Zoom actually didn’t offer that level of security, according to the complaint.

The FTC also alleged Zoom informed users it would store recordings of Zoom meetings in an encrypted format, when in reality they were kept unencrypted up to 60 days, and eventually were encrypted later.

Zoom compromised users’ security when it secretly installed ZoomOpener, software intended to help users join meetings more seamlessly, but which actually made users vulnerable to malware, according to the FTC. The FTC alleges that Zoom violated the FTC Act because it deployed ZoomOpener without user consent.

“Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information,” the FTC said in a press release. “In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services.”

Zoom is now required to foster a “robust information security program” as part of the settlement, and is barred from misrepresenting its privacy and security practices, including security features and how it maintains or discloses personal information. As part of the settlement Zoom has agreed to a mandated vulnerability management program and a biennial assessment of its security program from an outside party. The company is also on the hook to implement a multi-factor authentication program and to annually document potential internal and external security risks, according to the settlement.

The FTC action against Zoom is just the latest blow for the San Jose-based video teleconferencing company. Ever since Zoom use skyrocketed amid the coronavirus pandemic, the company has been facing criticism for a series of security and privacy missteps that the FTC has said put users’ security at risk. Just since March, Zoom has been hit with a class-action lawsuit over the company’s alleged disclosure of users’ data, is alleged to have made users vulnerable to hackers trying to access webcams, and has faced repeated criticism for its planned rollout of end-to-end encryption. Zoom’s CEO has previously publicly apologized for its security issues and vowed to do better.

Zoom said in a statement it had already made several changes to the security practices detailed in the settlement announced Monday.

“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC,” a company spokesperson said in a statement. “Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”

An FTC attorney on the settlement, Linda Holleran Copp, told reporters on a call Monday that “as a general matter, Zoom cooperated with our investigation.”

There will be significant civil penalties if Zoom violates the terms of the order, according to FTC lawyers.

Update, 11/9/2020: This story has been updated to include comment from Zoom and with additional details from the FTC.