The US Federal Trade Commission (FTC) has announced that Zoom will be required to implement a "robust information security program" to ensure the ongoing security of its users.
The action results a from a settlement between the FTC and Zoom Video Communications, Inc., after the FTC filed a complaint alleging Zoom had undermined the security of its users via deceptive and unfair practices, including:
- providing a lower level of security than the promised "end-to-end, 256-bit encryption."
- maintaining the cryptographic keys that could allow Zoom to access the content of customers' meetings.
- falsely claiming that meetings were encrypted immediately at their conclusion. Instead, some allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.
- compromising the security of some users when, as part of a manual update, it secretly installed a ZoomOpener web server, which allowed Zoom to join a user to a meeting by bypassing a Safari malware safeguard.
- increasing users' risk of remote video surveillance, as the software remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the app — without any user action — in certain circumstances.
"During the pandemic, practically everyone is using video-conferencing to communicate, making the security of these platforms more critical than ever," said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. "Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected."
Moving forward, the settlement stipulates that Zoom must adhere to measures addressing the issues in the complaint, such as annually assessing and dealing with security risks (internal and external), and developing safeguards to deal with such risks; implementing a vulnerability management program; deploying safety measures such as multi-factor authentication; and making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information.
Zoom wasn't fined as part of the settlement, however if it fails to adhere to any of the measures outlined, each violation may result in a fine of up to $43,280.
