FTC Reaches Settlement with Zoom over Pattern of Security Violations

On November 9th, the Federal Trade Commission (FTC) announced a settlement agreement with Zoom Video Communications, Inc. regarding the video communication platform’s privacy issues. After over a year of investigations, the FTC concluded that Zoom had misled the public about the strength of the app’s privacy protections since at least 2016. The FTC ordered, among other measures, that Zoom is prohibited from misrepresenting its privacy practices and that it must receive an independent third-party assessment of its security program every other year. This order is to stand for 20 years.

Zoom came under increased scrutiny when the COVID-19 pandemic forced huge swaths of the population to work from home and go to school online. Zoom offered a user-friendly interface that took little practice to get the hang of. On top of that, it offered free, 40-minute meetings that could host up to 100 attendants at once, making it a no-brainer for schools and businesses to give it a test run. The nine-year-old video conferencing platform saw its usership explode from 10 million users in December 2019 to 300 million by April 2020.

This increased usership did not come without its risks. The simplicity of the service led to “Zoom bombing,” where unauthorized strangers would join meetings to play pornographic videos or spew hate speech. As the FBI got involved in the matter, Zoom implemented new features to increase its privacy and security measures.

“Zoom bombing,” however, is not why the FTC started the investigation. It’s not even mentioned in the press release of the settlement.

Before Zoom was a publicly traded company, it had major security issues. For the past four years, Zoom claimed to utilize end-to-end encryption (E2EE) for its meetings, one of the most secure methods of internet communication. End-to-end encryption works by encrypting the data from a sender’s device until it reaches its intended recipient, the only device able to decrypt the message. This is why it is referred to as “end-to-end”—as only the parties on each end of the shared data are able to decrypt the messages. With end-to-end encryption, any third-party, including service providers, hackers, and even the app developers that facilitate the communications, are unable to decrypt the messages.

But this is not the type of encryption that Zoom actually provided. A spokesperson for Zoom admitted that the communications technology company, in fact, used a weaker level of security—a Transport Layer Security (TLS) encryption. This is the same type of encryption used to secure a typical HTTPS website. The key difference between this and end-to-end encryption is that Zoom could still access the video and audio of its users’ meetings. However, the FTC complaint showed that for years Zoom represented in its HIPAA Compliance Guide that it offered end-to-end encryption. Zoom videos even displayed a green icon that stated “Zoom is using an end-to-end encrypted connection” when a user dragged their mouse over it.

In July 2018, Zoom secretly installed a ZoomOpener software on Apple devices that bypassed the security protocols of Safari, Apple’s web browser. This created a one-click feature that opened the Zoom application, enabling a user’s webcam, without triggering Safari’s dialogue box that asked users if they wanted to launch a third-party app. A year later, Apple rolled out an update that removed the ZoomOpener after discovering a vulnerability that left Zoom and Mac users susceptible to an attack. The FTC alleged that this action, in conjunction with the fact that Zoom failed to notify its users of this feature, violated the FTC Act.

More recently, in the spring of 2020, a class-action lawsuit was filed against Zoom, alleging that it shared user data from its iOS app with Facebook and other third-parties. While sending user data to Facebook is far from unheard of, the concerns lie with the fact that Zoom, again, failed to notify users about what it was actually doing. Soon after the suit was filed, Zoom updated its iOS app to stop sending data to Facebook.

In October 2020, Zoom announced that it will be rolling out an update to offer end-to-end encryption (for real this time) to all of its free and paid users. But Zoom has ruffled feathers at almost every step of its nearly decade-long journey to becoming a tech giant, and with a slap on the wrist from the FTC, it’s hard to imagine that it will be abandoning its playbook of deceptive security practices anytime soon.