Videoconferencing service Zoom has settled accusations by the Federal Trade Commission that it failed to protect users’ information.
The settlement requires Zoom to implement a comprehensive security plan and cease any misrepresentation of its security or data-handling practices. Zoom must also undergo a security assessment by an independent third party every two years, and notify the FTC in the event of any data breach.
The settlement didn’t include a fine.
Zoom has been one of the most prominent of the “stay at home” tech companies benefiting from the disruptions of coronavirus, with the number of meeting participants exploding from 10 million in December 2019 to 300 million by April 2020, as everything from history classes to government committees went online. That led to heightened scrutiny of the platform and its security practices.
The missteps highlighted by the settlement are potentially serious, but the FTC didn’t say that hackers had exploited them in the real world. Nor did the agency say that user account information such as emails or credit card details had been stolen.
“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC,” Zoom said in a statement. “Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”
Since at least 2016, according to the FTC, Zoom has claimed it offered “end-to-end encryption” to users. But in March, tech news site The Intercept reported that while Zoom calls were encrypted, Zoom itself theoretically had access to encrypted meetings—an impossibility if it was offering true end-to-end encryption.
After this discrepancy was made public, Zoom acquired the encryption startup Keybase and began building true end-to-end encryption. The first iteration of that technology was introduced to users in late October.
The FTC also said Zoom misrepresented its handling of recorded calls saved to its cloud service. Zoom claimed these recordings were encrypted immediately after a call was completed, but in fact some calls were on Zoom’s servers in unencrypted form for as long as 60 days before being transferred to secure storage.
In its announcement, the FTC argued that Zoom’s misleading encryption claims gave users “a false sense of security…especially for those who used the company’s platform to discuss sensitive topics such as health and financial information.”
The FTC also focused on a flaw in how Zoom worked on Apple’s Mac computers. To allow users to join calls faster, Zoom installed background software called ZoomOpener starting in June 2018. ZoomOpener bypassed a protocol designed to protect Mac users who click on malicious links. In July 2019, it was discovered that this work-around could give hackers access to users’ webcams. Zoom fixed the flaw almost immediately after it was publicized.
Ultimately, the settlement amounts to a public declaration that the FTC is keeping a close eye on Zoom. The FTC says it “requires Zoom to live up to its privacy and security promises and to put in place a comprehensive security program designed to protect your information for many years to come—or pay big fines.”
