- Zoom settled with the Federal Trade Commission (FTC) following allegations of "a series of deceptive and unfair practices," the agency announced Monday. "Zoom's security practices didn't line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected," said Andrew Smith, director of the FTC's Bureau of Consumer Protection, in the announcement.
- The settlement requires Zoom to establish a "comprehensive security program" and prohibits misrepresentations of its privacy and security. With Zoom's rapid user growth between December and April, the company allegedly "misled users by touting" end-to-end, 256-bit encryption, when it actually offered "lower level of security."
- The FTC also alleges Zoom "compromised the security of some users" following a "secret" installment of the Zoom Opener software in 2018. The software was a component of an update, though the function allowed Zoom's automatic launch "bypassing an Apple Safari browser safeguard."
Zoom's security and privacy practices came under scrutiny this year following mass adoption. But not all users are created equal. Zoom's issues were primarily in product security, where the "thing that they were selling was not secure, which they've been pretty forthright and transparent with," said Jeff Pollard, Forrester VP and principal analyst, in an interview in October.
Zoom "maintained the cryptographic keys" allowing it access to customer meetings, the FTC said. Zoom "neither admits nor denies any of the allegations in the complaint, except as specifically stated in the Decision and Order," the settlement said.
In April, reports surfaced of Zoom's default use of transport encryption instead of end-to-end encryption (E2EE). Transport layer security (TLS) was part of Zoom's meeting encryption method, which is a common tactic among video meeting platforms. Cisco Webex uses TLS, while offering E2EE for Webex Meetings and Support. Microsoft Teams and Google Hangouts also lack a default E2EE encryption mode.
In October, Zoom made E2EE available globally for paying and free Zoom customers after announcing the function in June. The company said the feature will prohibit anyone except for meeting participants, "not even Zoom’s meeting servers," to have access to encryption keys. Zoom's cloud meeting servers "become oblivious relays and never see the encryption keys," the company said.
Some organizations banned Zoom use during the early months of nationwide lockdown. CEO Eric Yuan admitted to "missteps" and the company established a CISO advisory board and a feature freeze until issues were remedied.
In June, the company named Jason Lee CISO. "Zoom is interesting because at first Zoom didn't have a CISO. That wasn't named until well after they had started resolving a lot of these issues," said Pollard.
Lee is reporting to Zoom's COO Aparna Bawa. When that reporting structure is in place, it usually indicates a company is thinking about IT "as enabling the organization to operate. And in that scenario, they might be thinking about cybersecurity as something that's incredibly important, at a strategic level to that business," whether it's product security or partnered with other enterprises, said Pollard.
Zoom's FTC scrutiny is setting an example for the technology industry. The federal agency has sought greater authority in privacy and data security cases, beyond the limitations of Section 5 of the FTC Act. In 2019, the FTC called on Congress to allow the agency to "enact privacy and data security legislation, enforceable by the FTC, which grants the agency civil penalty authority."