22/11/2020
Zoom Settles with FTC after Deceiving Users About its Security Practices
The Federal Trade Commission announced on 9th November, a settlement with Zoom Video Communications, that will require the company to implement a comprehensive security program, a prohibition on privacy and security misrepresentations.
Zoom must take specific measures aimed at addressing the problems identified in the complaint. For example, it must:
• assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
• implement a vulnerability management program; and
• deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
Zoom personnel will be required to review any software updates for security flaws and must ensure the updates will not hamper third-party security features.
Zoom is also prohibited from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information.
The company must obtain assessments of its security program by an independent third party every two years, which the FTC has authority to approve, and notify the Commission if it experiences a data breach.
Background
Since at least 2016, Zoom misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security.
The FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.
Zoom also misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final.
The press release is available here.