The Federal Trade Commission announced a settlement with videoconferencing platform Zoom over “misleading claims” about its security. The agency said in a statement that when Zoom incorrectly claimed its video calls were protected by end-to-end encryption, the company engaged in “deceptive and unfair practices that undermined the security of its users.”
Zoom said in March that the phrase “end to end” was “in reference to the connection being encrypted from Zoom end point to Zoom end point,” that “content is not decrypted as it transfers across the Zoom cloud,” and that it only collected user data needed to improve its services.
But according to the FTC, Zoom had the cryptographic keys that could allow the company to access customers’ meetings. “Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information,” the agency said.
Zoom finally introduced the first of four phases of its end-to-end encryption in October for free and paid users in meetings with up to 200 participants. The next phase, scheduled to launch next year, will have better identity management and support for single sign-on, the company said.
A Zoom spokesperson said in a statement that the security of its users is a top priority and that it had already addressed the issues in the FTC complaint. “Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience,” the statement reads.
In addition to the end-to-end encryption issue, the FTC also said in its complaint that Zoom had stored unencrypted meeting recordings on its servers for up to 60 days and compromised the security of some users when it “secretly” installed software called ZoomOpener last year. That software allowed Zoom to launch automatically on macOS and bypass safeguards in Apple’s Safari browser meant to block malware, according to the FTC. Zoom released a patch last July, and Apple pushed an update to remove ZoomOpener from users’ devices.
Under the terms of the agreement with the FTC, which has no financial component, Zoom has to take specific steps to address the problems in the agency’s complaint and review software updates for security flaws. The company is also “prohibited from making misrepresentations about its privacy and security practices,” including how it collects and uses customers’ personal data as well as “the extent to which users can control the privacy or security of their personal information.”
Zoom also has to have an independent third-party assess its security every other year and notify the FTC in the event of a data breach.