On Monday, the Federal Trade Commission (FTC) announced that it reached a settlement with Zoom Video Communications, Inc.; as part of the settlement, Zoom must “implement a robust information security program to settle claims” as alleged in the complaint that Zoom engaged in various deceptive and unfair trade practices that undermined user security in violation of the Federal Trade Commission Act.
In the FTC’s complaint, the agency averred that Zoom has misled consumers since at least 2016 by claiming its platform was encrypted, including “end-to-end encryption, 256-bit encryption” in order to secure its users’ communications. However, in actuality Zoom did not offer end-to-end encryption, whereby only the sender and receiver can read the content; instead, it offered a “lower level of security,” the agency said. Furthermore, Zoom allegedly “maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings,” thus these were not end-to-end encrypted as Zoom had portrayed. Consequently, the FTC contended that Zoom’s misrepresentations gave users “a false sense of security,” especially when discussing sensitive topics or information. Zoom faced a multitude of litigation over privacy and security concerns, including concerns over its encryption. Additionally, the FTC proffered that Zoom had other privacy and security misrepresentations, such as surreptitiously installing ZoomOpener web server software as part of a manual update in July 2018 for Mac desktop; ZoomOpener allowed Zoom to bypass various Apple security measures designed to protect Apple users from malware. Zoom did this without user knowledge. Moreover, the FTC contended that Zoom “did not implement any offsetting measures to protect users’ security, and increased users’ risk of remote video surveillance by strangers.” Additionally, Zoom allegedly did not provide users with adequate notice, disclosure, or consent.
“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
In accordance with the settlement, Zoom agreed to “a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations,” as well as obtaining initial and biennial independent program assessments by a third party, cooperate with third party assessors, provide an annual certification of its compliance, and send covered incident reports to the FTC, among other items to comply with the settlement and order. Additionally, Zoom must review any software updates for security flaws and make sure that its updates with not hinder a third-party’s security features.
The FTC voted 3-2 to issue the complaint and accept the consent agreement with Zoom. Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissented, while Chairman Joe Simons and Commissioners Noah Joshua Philips and Christine S. Wilson were in favor of the action and settlement.
In her dissent statement, Commissioner Slaughter stated, “Years before the global pandemic would make Zoom a household name, the company made decisions that threatened the security and privacy of its longstanding core business customers. Yet the Commission’s proposed settlement provides no recourse for these paying customers. When Zoom’s user base rapidly expanded, its failure to prioritize privacy and security suddenly posed a much more serious risk in terms of scope and scale. This proposed settlement, however, requires Zoom only to establish procedures designed to protect user security and fails to impose any requirements directly protecting user privacy. For a company offering services such as Zoom’s, users must be able to trust that the company is committed to ensuring security and privacy alike. Because the proposed resolution fails to require Zoom to address privacy as well as security, and because it fails to require Zoom to take any steps to correct the deception we charge it perpetrated on its paying clients, I respectfully dissent.” Commissioner Chopra also issued a statement of dissent.
Meanwhile, in the majority statement the Commissioners stated, “We are confident that the proposed relief appropriately addresses the conduct alleged in the complaint and is an effective, efficient resolution of this investigation. Our dissenting colleagues suggest additional areas for relief that likely would require protracted litigation to obtain. Given the effective relief this settlement provides, we see no need for that. Hundreds of millions of people use Zoom on a daily basis, often for free or through month-to-month contracts. We feel it is important to put in place measures to protect those users’ privacy and security now, rather than expend scarce staff resources on speculative, potential relief that a Court would not likely grant, given the facts here.”