The Federal Trade Commission (FTC) announced a settlement with video conferencing platform Zoom on Monday that will require the company to implement a sturdier information security program. The FTC alleged that Zoom engaged in a series of “deceptive and unfair practices” that essentially undermined the security of its users.
The FTC’s complaint dates back to 2016 when the agency alleged that Zoom deceived users by falsely promising that it offered “end-to-end, 256-bit encryption” to secure users’ communications. Regulators said the falsehood created the possibility that other people (including Zoom) could read a user’s content.
In the FTC’s eyes, Zoom also erroneously told users who wanted to store recorded meetings on the company’s cloud storage that those meetings were encrypted immediately after their meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.
The matter was complicated further during the COVID-19 pandemic. Zoom’s reach skyrocketed from 10 million in December 2019 to 300 million in April 2020, putting even more users’ privacy at risk.
Earlier this summer, the company attempted to soften the FTC’s angst by improving its security for all users versus only its paying subscribers, but those actions seemingly weren’t enough to appease regulators.
“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
What changes Zoom users will see
The FTC’s laundry list of changes that Zoom users are supposed to see thanks to the settlement include:
The annual assessment and documentation of any potential internal and external security risks and develop ways to safeguard against such risks;
Implementation of a vulnerability management program; and
Deployment of safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and taking steps to prevent the use of known compromised user credentials.
The FTC didn’t stop there, though. On top of those three key changes, Zoom agreed to review any software updates for potential security flaws and must ensure that software updates will not hamper third-party security features. The company has also agreed not misrepresent to the public its collection and use of personal information, and it will have an assessment of security program made by an independent third party every other year.