Zoom has reached an agreement with the Federal Trade Commission in the United States on its “deceptive” claims about end-to-end encryption. FTC claimed in its complaint that Zoom was deceiving its users with the term “end-to-end encryption” but, in reality, the platform used a lower level of security. As part of the deal, the FTC asked Zoom to scale up its information security program.
Since Zoom’s adoption has skyrocketed around the world, it has undergone various checks around the world for its marketing claims. Zoom advertised in March that its platform is secured using “end-to-end encryption,” which the video conferencing platform says is “in reference to the encrypted connection” from one Zoom endpoint to another Zoom endpoint. This also meant that the content cannot be decrypted as long as it remains within the Zoom cloud.
But the FTC had mentioned in the complaint that Zoom had cryptographic keys that could allow her to access the content of client meetings. The term “end-to-end encryption” was misused by Zoom to describe the level of security on its platform, which was actually lower than the original E2E encryption.
These claims made by Zoom have given a false sense of security to thousands of users who relied on the platform not only for daily chat, but to discuss discreet information. “During the pandemic, virtually everyone – families, schools, social groups, businesses – uses video conferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices were not in line with its promises and this action will help ensure that Zoom meetings and Zoom user data are protected.”
The FTC also said that Zoom archived unencrypted video meeting recordings for up to 60 days and that the video conferencing platform compromised the security of several users when it “secretly” installed and used its ZoomOpener software in July 2018. which allowed Zoom to automatically open on macOS and bypass Apple’s anti-malware standards in the Safari browser. Although later in July, Zoom released a fix to remove this software while Apple rolled out an update to remove ZoomOpener from macOS devices.
The agreement between Zoom and the FTC does not include any monetary exchange, but the promise that the videoconferencing platform will increase security standards. FTC noted that Zoom must:
- assess and document any potential internal and external security risks on an annual basis and develop ways to protect against such risks;
- implement a vulnerability management program; is
- implement safeguards such as multi-factor authentication to protect against unauthorized access to your network; institute controls on the deletion of data; is
- take measures to prevent the use of compromised known user credentials; is
- ensure that all software updates to correct security flaws are thoroughly investigated so that they do not impede third party functionality.
The FTC is also asking Zoom to obtain a biennial evaluation of its security program from an independent third party, who will approve and notify the Commission in the event of a data breach.
Zoom had previously stated that its platform is end-to-end encrypted but, in reality, it was only for content on Zoom servers.
- The FTC said it reached an agreement with Zoom on its “misleading” claims.
- Zoom claimed that its platform is E2E encrypted but it meant something else.
- For now, the FTC has asked Zoom to improve security standards on its platform.