The Federal Trade Commission (FTC) announced a settlement with the video-conferencing platform Zoom over misleading claims.
The FTC had alleged that Zoom misled users by claiming it offered end-to-end, 256-bit encryption to secure users’ communications on the platform since at least 2016. The FTC complaint alleged that Zoom provided a lower level of security.
Zoom launched the first of four phases for its end-to-end encryption in October as part of the settlement. The new technology allows for actual end-to-end encryption in meetings with up to 200 participants. The roll-out of the end-to-end encryption is in response to the FTC complaint.
“We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs. We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC,” a spokesperson for Zoom told Engadget.
Also, part of the agreement is that Zoom must take specific steps to address the agency’s complaint and review software updates for security flaws.
The new measures include assessing and documenting on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks, implementing a vulnerability management program, deploying safeguards such as multi-factor authentication to protect against unauthorized access to its network, instituting data deletion controls, and taking steps to prevent the use of known compromised user credentials.
According to the FTC, end-to-end encryption is a method of securing communications where only the sender and recipients and no other person, including the platform provider, can read the content.
Zoom claimed that the end-to-end encryption was in reference to the connection being encrypted from Zoom endpoint to Zoom endpoint, and that content is not decrypted as it transfers across the Zoom cloud. The company also claimed that it only collected user data needed to improve its services.
“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever. Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.
The FTC complaint pointed out that Zoom had cryptographic keys that could allow the company to access customers’ meetings. The misleading claims of end-to-end encryption gave zoom users a false sense of security in the platform.
The complaint also alleged that Zoom stored some users’ meeting recordings unencrypted on its servers for up to two months and compromised its users’ security by covertly installing a web server on its users’ computers in order for users to jump into meetings faster.
To address this issue, Zoom released a software patch last July, and Apple pushed out an update to remove ZoomOpener from users’ devices.