On Monday, the Federal Trade Commission announced a settlement with Zoom that will require the company to implement stronger security programs. Since May, the FTC has been investigating the video conference platform, accusing it of engaging in “deceptive and unfair practices that undermined the security of its users.” Zoom has not admitted any wrongdoing and does not face any financial penalties, but it has agreed to new security practices as part of the settlement.
According to the FTC complaint, Zoom, which saw its daily user base skyrocket from 10 million in December 2019 to 300 million in April during the COVID-19 pandemic, falsely claimed its video calls were protected by end-to-end encryption. (Those figures count a person participating in several Zoom meetings in a single day as multiple users.) “In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised,” the FTC said Monday in a press release. “Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information.”
The complaint also alleged that Zoom misled users into believing their stored recorded meetings on the platform’s cloud storage were encrypted as soon as the meeting ended, when in reality, some recordings were stored on its servers for up to two months unencrypted. Not only that, but the FTC said that in 2019 Zoom “secretly installed software” called ZoomOpener, which allowed the platform to automatically open on Mac desktops without permission from the user. This heightened users’ risk of “remote video surveillance by strangers.” Through an update in July 2019, Apple removed ZoomOpener from users’ computers.
The settlement passed 3–2, with FTC Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissenting. “The settlement provides no help for affected users. It does nothing for small businesses that relied on Zoom’s data protection claims,” Chopra wrote in his dissent. Zoom also doesn’t have to face any financial penalties. But it already rolled out two-factor authentication earlier this year and has deployed end-to-end encryption—though you have to turn it on manually.
“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC,” said the company in an email to Slate. “Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.” As part of the settlement, the company must implement a new mandated information security program within 60 days, use safeguards such as multifactor authentication and data deletion, and review software updates for security flaws.
In April, Josephine Wolff wrote a partial defense of Zoom for Future Tense, saying, “all things considered, it’s doing a hell of a job scaling up its service and trying to respond very quickly to all of the concerns being raised about its product. Most of all, I admire its honesty and transparency about its shortcomings and its attempts to fix the vulnerabilities that have been identified, almost entirely within the past few weeks.”
Update, Nov. 11, 2020: This article was updated to clarify that the daily count of Zoom use includes multiple Zoom meetings by the same users.