Zoom announced recently that it was adding end-to-end encryption to its services, making it sound like it was providing users with a great service. It turns out it’s partially because it was court-mandated. Zoom has reached a settlement with the FTC, who claimed the company lied for years to users about utilizing end-to-end encryption.
FTC Complaint Against Zoom
“Since at least 2016, Zoom misled users by touting that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications, when in fact it provided a lower level of security,” said the Federal Trade Commission (FTC) about the settlement.
“Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings and secured its Zoom Meetings, in part, with a lower level of encryption than promised.”
According to the FTC complaint, Zoom said in its June 2016 and July 2016 HIPAA compliance guides used by health-care providers that it offers end-to-end encryption. It claimed the same in a January 2019 white paper. It came up again in a blog post from April 2017.
The FTC said in its announcement about the settlement that Zoom also “misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.”
Settlement Between FTC and Zoom
According to the FTC, “Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.”
The Republican majority in the FTC supports the settlement. The Democratic minority wanted to force Zoom to provide help to affected users. The settlement says Zoom does not have to “offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false,” said Democratic Commissioner Rebecca Kelly Slaughter.
Zoom is also facing separate lawsuits from investors and consumers that could cause it to have to offer financial settlement to its users.
The complaint and settlement also cover the ZoomOpener web service that bypassed security protocols in Mac computers. The company “secretly installed” its software as part of a Zoom update in July 2018, according to the FTC. After it caused controversy, Zoom completely removed the web server from the Mac application.
The FTC said Zoom agreed to take the following steps:
- Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks
- Implement a vulnerability management program
- Deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network, institute data deletion controls, and take steps to prevent the use of known compromised user credentials
Zoom said about the encryption settlement: “The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs. We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”
Learn more about Zoom’s new end-to-end encryption that it now includes, in part because of the FTC complaint, in Zoom Now Includes End-to-End Encryption.
