On 9th November, the Federal Trade Commission (“FTC”) of the United States announced a settlement with Zoom Video Communications, Inc. (“Zoom”), requiring the company to implement a comprehensive information security program to resolve the alleged deceptive and unfair practices undermining the security of its users, that were in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a). Accepting the consent agreement with the company, FTC voted 3-2 with Chairman Joe Simons as well as Commissioners Noah Joshua Phillips and Christine S. Wilson issuing a majority statement in the matter of Zoom Video Communications, Inc. (Commission File No. 1923167) stating that the settlement provides critical and timely relief while enabling the FTC to impose significant penalties in case of noncompliance.
“At a time when millions of Americans are using videoconferencing services on a daily basis, the settlement that the Commission announces today ensures that Zoom will prioritize consumers’ privacy and security. The Commission’s complaint alleges that Zoom made misrepresentations regarding the strength of its security features and implemented a software update that circumvented a browser security feature. The proposed order provides immediate and important relief to consumers, addressing this conduct. The order requires that Zoom establish and implement a comprehensive security program that includes detailed and specific security measures. These obligations include reviews of all new software for common security vulnerabilities; quarterly scans of its internal network and prompt remediation of critical or severe vulnerabilities; and prohibitions against privacy and security misrepresentations. This order will enable the Commission to seek significant penalties for noncompliance. This settlement provides critical, and timely, relief.”
– Majority Statement of Chairman Joseph J. Simons, Commissioner Noah Joshua Phillips, and Commissioner Christine S. Wilson
FTC’s complaint stated that Zoom has misled consumers since 2016 by making deceptive and false encryption claims by representing that user communications are protected by end-to-end, 256-bit encryption. End-to-end encryption is a method of securing communications so that only the sender and receiver can decipher the encrypted communication. In reality, the FTC said, Zoom did not offer end-to-end, 256-bit encryption to secure the contents of communication between participants using Zoom’s video conferencing software, but encryption of lower level and also maintained the cryptographic keys that provide access to the content of its customers’ meetings. The company also falsely represented that recorded meetings were immediately encrypted and stored on the company’s cloud storage after the meeting ended whereas some unencrypted meeting recordings were stored to 60 days on its servers before being transferred to its secure cloud storage. Additionally, it was alleged that the company discretely installed ZoomOpener web server software as part of a manual update in July 2018 for Mac desktop without providing taking user consent or providing any notice. The software allowed Zoom to bypass various Apple security measures designed to protect Apple users from malware, remained on computers even after deletion of the Zoom app and would also automatically reinstall the Zoom app without any initiation from the user’s end. Zoom failed to implement offsetting measures to address user security concerns and increased the risk of remote video surveillance by third parties.
The settlement proposes a comprehensive information security program requiring Zoom to undertake specific measures for addressing the issues identified in the complaint. The company must assess and document on an annual basis any potential internal and external security risks, develop ways to safeguard against such risks, implement a vulnerability management program, deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network, institute data deletion controls, and take steps to prevent the use of known compromised user credentials. Furthermore, software updates must be reviewed for security flaws to ensure that there is no impediment to third-party security features. The company’s security program must be biennially assessed by an independent third party (approved by the FTC) and the FTC must be notified in case of a data breach. Lastly, Zoom is prohibited from misrepresenting its privacy and security practices, security features and extent of user control over the privacy or security of personal information.
Reported by Priyanshi Rastogi, Student Ambassador