Zoom Misled Users 'False Sense of Security,' FTC Says

"Zoom’s misleading claims gave users a false sense of security … to discuss sensitive topics such as health and financial information," the US government said.

Nov 10 2020, 2:00pm

The Federal Trade Commission (FTC) announced Monday that it struck a settlement with Zoom, after accusing the video conferencing company of repeatedly misleading users about the strength of its security, privacy, and encryption practices. 

In an announcement, the FTC accused Zoom of “a series of deceptive and unfair practices that undermined the security of its users.” Of particular interest to the FTC was Zoom’s repeated marketing claims that the company utilized robust end to end encryption, despite subsequent realizations by researchers that this simply wasn’t true.

Advertisement

“In reality…Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised,” the FTC said in a statement Monday.

“Zoom’s misleading claims gave users a false sense of security, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information,” the FTC added.

Zoom was a relative-unknown before the pandemic, thrust into the spotlight after millions of Americans were forced to work, learn, and socialize from home. But while Zoom’s user base quickly ballooned from around 10 million pre-pandemic to more than 300 million last April, its security practices weren’t prepared for the ride.

Zoom quickly came under fire for failing to do enough to thwart “Zoom bombing,” implementing features that allowed tracking of student and employee attention levels, and sharing data with Facebook that was not disclosed in the company’s privacy policies.

The FTC complaint also alleges that Zoom stored some meeting recordings unencrypted in the cloud for up to two months, despite marketing claims that meetings would be encrypted immediately following session completion.

The agency also claims Zoom compromised the security of its users when it secretly installed ZoomOpener web server software as part of a Mac desktop application update in July 2018. This software allowed Zoom to automatically launch meetings by bypassing Apple Safari malware protection, and remained installed even after Zoom was removed.

Advertisement

The FTC claims the settlement prohibits Zoom from further misrepresenting the platform’s security and privacy standards, and requires it implement a vulnerability management program and stronger security across the company’s internal network, steps a company spokesperson says have already been completed.

"Today's resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience," Zoom said in a statement.

The FTC settlement was passed 3-2 along party lines, though dissenting Democratic commissioner Rebecca Kelly Slaughter issued a statement saying the settlement didn’t go far enough in part because it provides no refunds or financial penalties.

“Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false.” Slaughter said. “This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case.”

While experts state that Zoom has taken notable steps to shore up its lagging security, it required an FTC investigation, FBI warning, letters from several Senators, inquiries by numerous attorneys general, and a class action lawsuit to get there.

“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” FTC Consumer Protection Bureau Director Andrew Smith said of the settlement. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

Tagged:

Hacking, security, FTC

More
like this
OAN Is So Dangerous Because It Looks Like a Real News Channel
Leaked Audio: Facebook Moderators Terrified to Return to Office During COVID Outbreak
Click to Bow: How Japan’s Work Etiquette is Adapting to the Age of Zoom
A Spyware Vendor Seemingly Made a Fake WhatsApp to Hack Targets
Comcast Expands Costly and Pointless Broadband Caps During a Pandemic
The GOP Is Jamming Through the Appointment of Unqualified Trump Ally to The FCC
Here Are the Worst Military Photos of 2020
Don’t Hire Gig Workers to Wait In Line for Your COVID-19 Test