3 min read

Zoom Settles with FTC over Allegations of Deceptive Security Practices

Filip TRUȚĂ

February 02, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Zoom Settles with FTC over Allegations of Deceptive Security Practices

The US Federal Trade Commission this week gave final approval to a settlement with Zoom Video Communications over allegations it misled consumers about the level of security provided during videoconferencing sessions and compromised the security of some macOS users.

The FTC”s settlement with Zoom dates back to November 2020, when the commission alleged the company had deceived users about security for its meeting platform and unfairly undermined a browser security feature for Apple device users, among other things.

Alleged negligence and deception towards end users

One major allegation brought forth by the FTC is that, since at least 2016, Zoom misled users by claiming it offered “end-to-end, 256-bit encryption” when in fact it provided a lower level of security. The FTC alleges that, in reality, Zoom maintained the cryptographic keys that could allow it to access the content of its customers” meetings. Zoom also allegedly secured its virtual meetings with a lower level of encryption than promised, at least in part, according to the original complaint.

Other allegations include:

  • Zoom misled some users who wanted to store recorded meetings on the company”s cloud storage by falsely claiming those meetings were encrypted immediately after they ended
  • The company compromised the security of some users when it secretly installed a “ZoomOpener” component as part of a manual update for its Mac desktop application in July 2018; Zoom did not implement any offsetting measures to protect users” security, and increased users” risk of remote video surveillance by strangers, the FTC claimed
  • Zoom”s release notes for the July 2018 update were allegedly deceptive because they did not adequately disclose that the app update would install the ZoomOpener web server on users” computers, that it would circumvent a Safari browser safeguard, or that it would remain on users” computers even after they deleted the Zoom app

Prohibited from making false claims about security & privacy

Zoom has agreed to establish and implement a comprehensive security program, to implement a prohibition on privacy and security misrepresentations, and to other detailed and specific relief to protect its user base, according to the FTC.

In addition to requiring Zoom to carry out a comprehensive security program, this week”s final order prompts the company to review any software updates for security flaws prior to release and ensure the updates will not hamper third-party security features.

The videoconferencing giant must also obtain biennial assessments of its security program by an independent third party and notify the commission of any data breach.

290 million new users in four months

Due to the COVID-19 pandemic, Zoom”s install base has ballooned from 10 million in December 2019 to 300 million in April 2020.

“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” Andrew Smith, Director of the FTC”s Bureau of Consumer Protection, said in November.

“Zoom”s security practices didn”t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” Smith said.

Additional relief over rogue employee allegations

After receiving 12 comments on the proposed settlement, the commission voted 3-2 in January to finalize the settlement and to send responses to the commenters. Commissioner Christine S. Wilson, in particular, mentions a recent development which, in Wilson”s opinion, requires additional relief for affected parties.

“My dissenting colleagues note that the recent revelations regarding a rogue Zoom employee in China, who accessed accounts and meetings of U.S.-based consumers, underscore the need for additional relief in this matter,” Wilson wrote.

“I have stated in testimony and speeches my view that privacy and data security are two sides of the same coin, and have urged Congress to pass both comprehensive privacy and data security legislation … I believe that such relief also is appropriate in de novo cases and am willing to support orders that integrate privacy and data security provisions in future matters,” the commissioner added.

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Your phone number got leaked? Here’s what cybercriminals can do with it and how you can stop them Your phone number got leaked? Here’s what cybercriminals can do with it and how you can stop them
Alina BÎZGĂ

December 05, 2022

3 min read
Threat actor publicly shares stolen data of 5.4 million Twitter users Threat actor publicly shares stolen data of 5.4 million Twitter users
Alina BÎZGĂ

November 28, 2022

3 min read
500 million WhatsApp mobile phone numbers are up for grabs on the dark web 500 million WhatsApp mobile phone numbers are up for grabs on the dark web
Alina BÎZGĂ

November 25, 2022

2 min read