FTC settles with Zoom over security shortcomings

The US Federal Trade Commissioner (FTC) has finalised a settlement with videoconferencing provider Zoom over allegations it misled consumers about the level of security provided for its Zoom meetings.

Under the settlement, first tentatively reached in November, Zoom has committed to implementing a robust information security program and to abide by a prohibition on privacy and security misrepresentations.

The agreement follows a complaint by the FTC alleging that Zoom misled users by claiming to offer “end-to-end, 256-bit encryption”. The FTC contended that end-to-end encryption implies that only the sender and recipients of a message can read its content.

But the FTC alleged that in reality, Zoom maintained the cryptographic keys that could allow the company access to customers’ meetings and that parts of Zoom Meetings were encrypted at a lower level than the 256-bit encryption promised.

In addition, the FTC had accused Zoom of storing the content of recorded meetings unencrypted for up to 60 days on its servers before transferring them to secure cloud storage, and of compromising the security of some Mac users by secretly installing software — a ZoomOpener web server — as part of an update to the Mac application in 2018.

This software allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware.

Under the settlement, Zoom has committed to conduct annual assessments of any potential internal and external security risks, implement a vulnerability management program and deploy safeguards such as multi-factor authentication to protect against unauthorised access to its network.

Zoom must also obtain biennial assessments of its security program by an independent third party approved by the FTC and notify the regulator if it experiences a data breach.

“During the pandemic, practically everyone — families, schools, social groups, businesses — is using videoconferencing to communicate, making the security of these platforms more critical than ever,” commented Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.

“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

The commission voted 3-2 to finalise the settlement, with the two dissenters objecting that the settlement did not go far enough by providing no money for victims or meaningful accountability for the company.

Image credit: ©stock.adobe.com/au/Andrey Popov