The Federal Trade Commission (FTC) announced Monday that it struck a settlement with Zoom, after accusing the video conferencing company of repeatedly misleading users about the strength of its security, privacy, and encryption practices.
In an announcement, the FTC accused Zoom of “a series of deceptive and unfair practices that undermined the security of its users.” Of particular interest to the FTC was Zoom’s repeated marketing claims that the company utilized robust end to end encryption, despite subsequent realizations by researchers that this simply wasn’t true.
“In reality…Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised,” the FTC said in a statement Monday.
“Zoom’s misleading claims gave users a false sense of security, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information,” the FTC added.
Zoom was a relative-unknown before the pandemic, thrust into the spotlight after millions of Americans were forced to work, learn, and socialize from home. But while Zoom’s user base quickly ballooned from around 10 million pre-pandemic to more than 300 million last April, its security practices weren’t prepared for the ride.
Zoom quickly came under fire for failing to do enough to thwart “Zoom bombing,” implementing features that allowed tracking of student and employee attention levels, and sharing data with Facebook that was not disclosed in the company’s privacy policies.
The FTC complaint also alleges that Zoom stored some meeting recordings unencrypted in the cloud for up to two months, despite marketing claims that meetings would be encrypted immediately following session completion.
The agency also claims Zoom compromised the security of its users when it secretly installed ZoomOpener web server software as part of a Mac desktop application update in July 2018. This software allowed Zoom to automatically launch meetings by bypassing Apple Safari malware protection, and remained installed even after Zoom was removed.
The FTC claims the settlement prohibits Zoom from further misrepresenting the platform’s security and privacy standards, and requires it implement a vulnerability management program and stronger security across the company’s internal network, steps a company spokesperson says have already been completed.
“Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience,” Zoom said in a statement.
The FTC settlement was passed 3-2 along party lines, though dissenting Democratic commissioner Rebecca Kelly Slaughter issued a statement saying the settlement didn’t go far enough in part because it provides no refunds or financial penalties.
“Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false.” Slaughter said. “This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case.”
While experts state that Zoom has taken notable steps to shore up its lagging security, it required an FTC investigation, FBI warning, letters from several Senators, inquiries by numerous attorneys general, and a class action lawsuit to get there.
“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” FTC Consumer Protection Bureau Director Andrew Smith said of the settlement. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”