Federal Trade Commission announced a settlement with Zoom Video Communications, requiring the company to improve the information security program to settle the FTC allegations of a series of malpractices that undermined the security of its users.
In the complaint by FTC, they alleged that since at least 2016, Zoom deceived users by saying that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security.
FTC alleges Zoom maintained cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.
As per FTC’s complaint, Zoom also falsely stated that recorded meetings on the company’s cloud were encrypted immediately as soon as the meeting ended, but some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.
The FTC also alleged that the company compromised the security of some users when it secretly installed software, called a ZoomOpener web server.
The ZoomOpener web server bypassed an Apple Safari browser safeguard that showed a warning box and asked the user if they wanted to launch the app, instead, the software allowed Zoom to automatically launch and join a user to a meeting.
The complaint alleges that Zoom did not implement any offsetting measures to protect users’ security, and increased users’ risk of remote video surveillance by strangers.
The software remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app, without any user action in certain circumstances. Apple removed the ZoomOpener web server from users’ computers through an automatic update in July 2019.
The complaint alleges that Zoom’s deployment of the ZoomOpener, without adequate notice or user consent, was unfair and violated the FTC Act.
The complaint also alleges that Zoom’s release notes for the July 2018 update were deceptive because they did not adequately disclose that the app update would install the ZoomOpener web server on users’ computers, and how the software functions and operates in the manner mentioned above.
FTC mentions that as a part of the proposed comprehensive information security program, Zoom must take specific measures aimed at addressing the problems identified in the complaint.
Zoom personnel will be required to review any software updates for security flaws and maintain that the updates do not harm third-party security features.
The company is also prohibited from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information.
Biennial assessments of security programs by an independent third-party, that the FTC has authority to approve, is also a part of the settlement. The Commission should be notified about any data breaches that the company experiences.
It is recommended that Zoom users refrain from engaging in conversations that disclose any confidential information, financial, or otherwise on the video communications platform, as they’re subject to privacy concerns, at least until the company implements a more robust security program that protects the users’ interest.
This is at least the second major security & privacy concern that has popped since the video-conferencing app took off globally due to lockdown restrictions. First, being issues of Zoombombing, that emerged during the earlier phase of the period when the app was being used widely around the world.