FTC Hits ZOOM for Misrepresenting Its Security Protections

Balough November 11, 2020 0

(November 11, 2020)  The Federal Trade Commission (“FTC”) confirmed what Zoom users who have been Zoombombed already know—the videoconferencing provider’s security was less than as hyped.

The FTC alleged in a five-count complaint that Zoom Video Communications, Inc. mislead users about the security surrounding the use of its software that provides video online meetings either on a one-on one-basis or for groups. Zoom soared in use as a result of the pandemic, going from 10 million users in December 2019 to 300 million in April 2020.

The FTC complaint said Zoom:

  • Misrepresented to users that it secured Zoom meetings with end-to-end encryption that could only be decrypted by the communicating parties. Instead Zoom maintained the cryptographic keys, allowing Zoom to access the content of the meetings.
  • Misrepresented the level of encryption used to secure communications between participants. Zoom said it was using a 256-bit encryption key, but in fact used only a 128-bit key.
  • Misrepresented to users who opted to store recordings of their Zoom meetings in Zoom’s secure cloud storage that the company would securely store the recordings once the meeting had ended. Instead, the meetings remained on Zoom servers unencrypted for up to 60 days before transferred to Zoom’s secure cloud storage.
  • Installed a local hosted web service on Mac computers that was designed to circumvent a security and privacy safeguard in Apple’s Safari browser. Users were not informed of the circumvention.
  • Represented it was updating its Mac application to repair a bug, but instead installed software that included the ZoomOpener web app, which remained even after a user had uninstalled Zoom’s Mac application.

Zoom agreed to settle the complaint, consenting to establish and implement a comprehensive security program and agreeing that it would not make any additional privacy and security misrepresentations. The public may comment on the proposed settlement for 30 days after publication in the Federal Register.

In the News Blog, Internet/Cyberspace ,