The Federal Trade Commission (FTC) has announced a settlement with Zoom after arguing that the video conferencing firm gave users a false sense of security by misleading them on key encryption and other features.
The original FTC complaint alleged that, since 2016, Zoom had falsely claimed it offered “end-to-end 256-bit encryption” when in fact it offered a lower level of encryption and kept hold of a cryptographic key, theoretically allowing it to access or provide access to customer meetings.
The FTC also said that Zoom falsely claimed that recorded meetings stored on the company’s cloud were immediately encrypted, when they were actually stored unencrypted for up to 60 days.
“During the pandemic, practically everyone — families, schools, social groups, businesses — is using video conferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.
“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
Other complaints the FTC had included the secret installation of a ZoomOpener web server on its Mac desktop application in 2018, to ensure the app automatically launched without triggering Safari safeguards.
The server represented a hidden security risk to customers and in some circumstances would reinstall Zoom even after it had been removed.
As part of the settlement, Zoom agreed to several measures including: implementing a vulnerability program; documenting security risks annually and developing safeguards; and deploying multi-factor authentication, data deletion and other security features.
The firm has also agreed to a biennial independent assessment of its security program and is prohibited from making further misrepresentations about its privacy and security practices.
Zoom recently began rolling out end-to-end encryption for all of its users.