On November 9, 2020 the FTC entered into a consent agreement with Zoom Video Communications, Inc. to address concerns over the videoconferencing platform’s security practices. With the onset of the COVID-19 pandemic, the need for a reliable, online videoconferencing and meeting platform skyrocketed. Zoom met that need. It advertised its platform as a secure space with various safety measures to protect user data, including “end-to-end” 256-bit encryption. In short order, individuals, businesses, and organizations quickly flocked to the user-friendly communications platform; and, by the end of April 2020 Zoom’s user base was booming.
Then came a backlash of sorts. The FTC began investigating Zoom’s security practices, and private plaintiffs brought class-action lawsuits alleging violations of the California Consumer Privacy Act and failure to adhere to Zoom’s terms of service. The FTC’s complaint alleged several concerns with Zoom’s advertising and security promises, concluding that Zoom made misleading claims about the strength of its encryption and security of its platform that gave customers a false sense of security. The five-count complaint alleged that Zoom:
- Misrepresented Zoom’s ability to give all meetings end-to-end encryption because the company’s storage of meetings on its own servers gave it access to the recordings;
- Misrepresented the level of encryption as “AES 256 bit encryption” when only employing 128 bit encryption;
- Misrepresented that saved meetings would be immediately stored in a secure cloud, when the meetings were actually first stored for 60 days on an unsecure server before moving to the cloud;
- Circumvented Apple Inc.’s security measures on the Safari browser with their “ZoomOpener” program, which re-installed the Zoom application even after users uninstalled the application; and
- Did not warn Mac users that a patch for “minor bug fixes” would deploy the “ZoomOpener” program.
Under the proposed consent agreement, Zoom must remedy the security vulnerabilities identified above and detailed in the complaint. Among other requirements, Zoom must implement enhanced security features, including reviewing new software for vulnerabilities, performing quarterly scans of security networks, and immediately remedying critical vulnerabilities. The consent agreement also prohibits Zoom from making any privacy or security misrepresentations in the future.
In the majority commissioner statement, three commissioners touted the immediate relief the consent agreement offers. They emphasized that the quick resolution was necessary in light of the ongoing pandemic and beneficial to Zoom’s users. Two other commissioners dissented. They commented that the consent agreement leaves no recourse for Zoom’s actual user base—many of whom are small businesses—whose privacy and sensitive information continue to be at risk. One dissenter also noted that while the agreement addresses security concerns going forward, it does not help those who may have already suffered harm.
The proposed consent order is open for public comment for thirty days.