The Federal Trade Commission today announced a settlement with Zoom Video Communications, Inc. that will require the company to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.
Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.
In its complaint, the FTC alleged that, since at least 2016, Zoom misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security. End-to-end encryption is a method of securing communications so that only the sender and recipient(s)—and no other person, not even the platform provider—can read the content.
In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.
Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information. In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services.
“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
According to the FTC’s complaint, Zoom also misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.
The FTC also alleged that the company compromised the security of some users when it secretly installed software, called a ZoomOpener web server, as part of a manual update for its Mac desktop application in July 2018. The ZoomOpener web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware. Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app.
The complaint alleges that Zoom did not implement any offsetting measures to protect users’ security, and increased users’ risk of remote video surveillance by strangers. The software remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app—without any user action—in certain circumstances. The complaint alleges that Zoom’s deployment of the ZoomOpener, without adequate notice or user consent, was unfair and violated the FTC Act. Apple removed the ZoomOpener web server from users’ computers through an automatic update in July 2019.
The complaint also alleges that Zoom’s release notes for the July 2018 update were deceptive because they did not adequately disclose that the app update would install the ZoomOpener web server on users’ computers, that it would circumvent a Safari browser safeguard, or that it would remain on users’ computers even after users deleted the Zoom app.
As part of the proposed comprehensive information security program, Zoom must take specific measures aimed at addressing the problems identified in the complaint. For example, it must:
- assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
- implement a vulnerability management program; and
- deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
In addition, Zoom personnel will be required to review any software updates for security flaws and must ensure the updates will not hamper third-party security features.
Under the proposed settlement, Zoom is also prohibited from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information.
Finally, the company must obtain biennial assessments of its security program by an independent third party, which the FTC has authority to approve, and notify the Commission if it experiences a data breach.
The Commission voted 3-2 to issue the proposed administrative complaint and to accept the consent agreement with the company. Commissioners Rohit Chopra and Rebecca Kelly Slaughterissued dissenting statements, while Chairman Joe Simons as well as Commissioners Noah Joshua Phillips and Christine S. Wilson issued a majority statement.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,280.