Business Blog
Zooming in on Zoom’s unfair and deceptive security practices: More about the FTC settlement
This time last year, “zoom” was just a word related to speed. But the pandemic has made video conferencing platform Zoom a daily fixture for business people conferring about trade secrets, doctors and mental health professionals discussing sensitive patient information, kids keeping up with school work, and the rest of us sharing everything from the details of day-to-day life to confidential family matters. According to a just-announced FTC complaint, Zoom allegedly engaged in deceptive and unfair practices that misled consumers about the security of their communications on the platform and that put certain users at risk when the company undermined a security feature built into the Safari browser. A proposed settlement will require Zoom to honor its security promises and implement a comprehensive program designed to protect consumers’ information in the future.
Use Zoom just a few times and you’ll understand the breadth of data the company collects: names, email addresses, approximate locations, credit card numbers, the identity of attendees, and a plethora of information collected while people use the service – including chats, messages, files, and recorded meetings stored on Zoom’s cloud storage. Obviously aware of consumers’ concerns about the security of their communications, Zoom claimed on its website and elsewhere that it takes “security seriously,” that it “places privacy and security as the highest priority,” and that it “is committed to protecting your privacy.”
On its site, in its app, in security guides, and in direct communications with potential customers, Zoom prominently touted its “end-to-end AES 256-bit encryption” for all meetings. End-to-end encryption is a way of securing communications so that only the sender and recipients – and no one else, not even the platform provider – can read the contents. AES 256-bit encryption is such a strong level of encryption that it can be used to secure “TOP SECRET” messages. According to a 2015 Zoom blog post, “Zoom’s use of AES 256 encryption” made “it impossible for a hacker to grab anything outside of a hopelessly garbled transmission . . . . ” The company also represented to healthcare providers that “end-to-end AES 256-bit encryption of all meeting data and instant messages” made the platform suitable for the enhanced security needs of telehealth video conferencing.
That’s what the company claimed, but the FTC says Zoom delivered far less. In fact, Zoom didn’t provide end-to-end encryption for most Zoom meetings because Zoom’s servers – including some located in China – maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings. What’s more, the FTC says the company’s claim of “256-bit encryption” was false or misleading because Zoom delivered a lower level of encryption that provided less protection.
For paying customers, Zoom also offered the option of storing their recorded meetings in Zoom’s secure cloud immediately after the meeting had ended. However, according to the FTC, recordings were kept on Zoom’s servers unencrypted for up to 60 days before they were transferred to Zoom’s secure cloud storage, where they were stored encrypted.
The FTC also alleges that for Mac users, Zoom installed software – called ZoomOpener – that raised particular privacy and security concerns. Mac owners will want to read the complaint for details, but here’s the summary. To help defend against malware and malicious actors, Apple had updated its Safari browser to require users to interact with a dialogue box when a website or link attempted to launch an outside app. So if a consumer received an invitation link to a Zoom meeting, they had to click that it was “okay” to open the Zoom app and join the meeting. However, to avoid this dialogue box, in July 2018, Zoom updated its app for Macs with its ZoomOpener software. The company claimed the purpose of the update was to resolve “minor bug fixes,” but the FTC says Zoom had something else in mind. In fact, Zoom’s “fix” circumvented that safeguard in Apple’s Safari browser. The upshot: Consumers could automatically be joined to Zoom meetings with their cameras also automatically activated unless the consumers had changed their Zoom default video settings.
Importantly, Zoom did not put in place any offsetting measures to protect users, and the FTC alleges Zoom’s behind-the-scenes ploy put Mac users at risk. For example, no-goodniks could send phishing emails that were really Zoom invitations in disguise. If consumers clicked on a link, it could open a Zoom meeting without their permission and allow strangers to spy on them through their webcams or install malware onto their computers. Even if users deleted the Zoom app, the ZoomOpener remained – along with its accompanying vulnerabilities. What’s more, Zoom could re-install the Zoom app without the user’s permission or knowledge. Apple removed the ZoomOpener web server from users’ computers in 2019.
The proposed administrative complaint alleges Zoom violated the FTC Act by making deceptive end-to-end encryption claims, false promises about the level of encryption it provided, and misleading representations regarding secured cloud storage for recorded meetings. In addition, the FTC charges that Zoom’s installation of the ZoomOpener unfairly circumvented third-party privacy and security safeguards and that Zoom deceptively failed to give consumers the full scoop about the ZoomOpener.
The proposed settlement prohibits Zoom from making a wide variety of privacy- and security-related misrepresentations. It also requires Zoom to put in place a far-reaching information security program that includes – among other things – a security review for all new software before release, a vulnerability management program, regular security training for all employees, specialized training for developers and engineers, and independent program assessments by a qualified third party within 180 days and every other year after that for the next 20 years. Once the proposed settlement is published in the Federal Register, the FTC will accept public comments for 30 days.
Even though Zoom has discontinued most of the practices challenged in the complaint, the most effective means for future compliance is a comprehensive security make-over assessed by a qualified third party, monitored by the FTC, and enforceable in court. The hundreds of millions of consumers who rely on Zoom every day to conduct business, get healthcare, educate their kids, and connect with family members have a right to expect the company to take steps to protect their personal information.
Looking for more information about using video conferencing platforms? Read Video conferencing: 10 privacy tips for your business.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.