The US Federal Trade Commission, with three votes in favour and two against, has approved a settlement with video conferencing solutions provider Zoom which requires the latter to implement a comprehensive information security programme to secure user communications.
Last year, the FTC accused Zoom of engaging in a “series of deceptive and unfair practices that undermined the security of its users.” FTC alleged that since 2016, Zoom misled its users by stating that “it offered end-to-end, 256-bit encryption to secure users’ communications,” whereas in reality, it provided a much lower level of security.
The FTC said that “the misleading claims made by Zoom gave users a false sense of security, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information. In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services.”
The FTC’s complaint also alleged that Zoom’s release notes for the July 2018 update were deceptive because they did not adequately disclose that the app update would install the ZoomOpener web server on users’ computers, that it would circumvent a Safari browser safeguard, or that it would remain on users’ computers even after users deleted the Zoom app.
An FTC investigation also found that while Zoom claimed that records of online meetings were encrypted immediately after the meetings ended, records of meetings were stored unencrypted for as long as 60 days before being transferred to a secure cloud storage.
In November, the FTC announced that it had reached a settlement with Zoom based on its previous findings with reference to the company’s data security practices and its claims to the public. As a part of the proposed settlement, Zoom needed to implement a comprehensive information security programme and take specific measures addressing the problems identified in the complaint.
Earlier this week, the Federal Trade Commission gave its final approval to the settlement. The approval has now made it mandatory for Zoom to implement a vulnerability management programme, review any software updates for security flaws before its released, deploy multi-factor authentication to protect against unauthorised access to its network, and assess potential security risks and develop ways to safeguard against such risks.
“The company must also obtain biennial assessments of its security programme by an independent third party, which the FTC has authority to approve, and notify the Commission if it experiences a data breach,” the FTC said in a statement.
“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever. Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.
The settlement was approved by FTC commissioners with a vote of three in favour and two against. Commissioner Rohit Chopra, who votd against the settlement, said he did so as the settlement “was weak, providing no help, no notice, no money for victims, and no meaningful accountability for Zoom.”
“Rushing to a final approval of this settlement is completely unwarranted. Unbeknownst to the public during the comment period, Zoom’s business practices and access controls allowed at least one foreign state actor – the People’s Republic of China (PRC) – to get access to user data,” he added.
Commissioner Christine S. Wilson, on the other hand, supported the settlement, stating that it provides privacy protection to consumers by prohibiting Zoom from misrepresenting its privacy practices, and requires Zoom to implement changes to its naming procedures for saving or storing recorded videoconference meetings, and to develop data deletion policies and procedures.