Federal Trade Commission requires Zoom to enhance security practices

December 1, 2020 |

Zoom is now a verb.  The impact of video conferencing platform has made it ubiquitous and necessary to work from home and keep in touch with others during long weeks of shut downs. And it deserves its reputation as the go to platform; it is easy to use, it is free (for 40 minutes at a time), it allows for up to 100 people to join a meeting and it has many cool features such as separate rooms and messaging services.

It has also suffered from the growing pains that afflict technology that appear from nowhere and become massively popular overnight.  That included critical flaws in software for windows that allowed hackers to take over computers and flaws that lets an attacker to use a GIF to hack software and install malware and until recently not having end to end encryption. The list of flaws identified and fixed are set out in Zoom security issues: Here’s everything that’s gone wrong (so far).

As a result of the persistent flaws and inadequate privacy practices, now fixed, Zoom entered into a agreement with the New York Attorney General, on 7 May 2020, whereby Zoom would put into place and support new security measures and enhance privacy controls.

It was only a matter of time before Zoom’s privacy and security problems came to the attention of the US Federal Trade Commission.  It was investigated and earlier this month came to a settlement, again requiring it to provide better information security systems.  The jurisdictional basis for FTC bringing an action is that Zoom engaged in deceptive and unfair practices about it’s level of security, including representations about end to end encryption and the level of encryption.  The period of compliance with the Decision is 20 years.

The FTC issued a complaint  alleging that the misleading practices dated back to 2016.  The complaint highlights the exponential growth in Zoom’s business.  It had 600,000 paid users of its conferencing program in July 2019.  In December 2019 there were 10 million users participating in meetings.  By April 2020 there were 300 million users.

The FTC’s media release provides:

The Federal Trade Commission today announced a settlement with Zoom Video Communications, Inc. that will require the company to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.

Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.

In its complaint, the FTC alleged that, since at least 2016, Zoom misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security. End-to-end encryption is a method of securing communications so that only the sender and recipient(s)—and no other person, not even the platform provider—can read the content.

In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.

Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information. In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services.

“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

According to the FTC’s complaint, Zoom also misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.

The FTC also alleged that the company compromised the security of some users when it secretly installed software, called a ZoomOpener web server, as part of a manual update for its Mac desktop application in July 2018. The ZoomOpener web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware. Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app.

The complaint alleges that Zoom did not implement any offsetting measures to protect users’ security, and increased users’ risk of remote video surveillance by strangers. The software remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app—without any user action—in certain circumstances. The complaint alleges that Zoom’s deployment of the ZoomOpener, without adequate notice or user consent, was unfair and violated the FTC Act. Apple removed the ZoomOpener web server from users’ computers through an automatic update in July 2019.

The complaint also alleges that Zoom’s release notes for the July 2018 update were deceptive because they did not adequately disclose that the app update would install the ZoomOpener web server on users’ computers, that it would circumvent a Safari browser safeguard, or that it would remain on users’ computers even after users deleted the Zoom app.

As part of the proposed comprehensive information security program, Zoom must take specific measures aimed at addressing the problems identified in the complaint. For example, it must:

    • assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
    • implement a vulnerability management program; and
    • deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.

In addition, Zoom personnel will be required to review any software updates for security flaws and must ensure the updates will not hamper third-party security features.

Under the proposed settlement, Zoom is also prohibited from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information.

Finally, the company must obtain biennial assessments of its security program by an independent third party, which the FTC has authority to approve, and notify the Commission if it experiences a data breach.

The Commission voted 3-2 to issue the proposed administrative complaint and to accept the consent agreement with the company. Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued dissenting statements, while Chairman Joe Simons as well as Commissioners Noah Joshua Phillips and Christine S. Wilson issued a majority statement.

As always, the settlement has come with a fair bit of publicity including articles such as Zoom has settled with the FTC over ‘deceptive’ security practices, Zoom settles with FTC after making ‘deceptive’ security claims and Zoom to enhance security as part of proposed US settlement with FTC.

Leave a Reply





Verified by MonsterInsights