It’s a bad day to be Zoom.
As Zoom’s stock price plunged amid promising news of a covid-19 vaccine development on Monday morning, the Federal Trade Commission announced a settlement with the video conferencing company over a “series of deceptive and unfair practices that undermined the security of its users.” The FTC hopes the settlement will send a warning to any companies making unfounded claims about user privacy and security.
The FTC said in a press release on Monday that since 2016, Zoom misled customers by falsely claiming it provided “end-to-end, 256-bit encryption” for its users’ video conferences. Instead, the FTC said, “it provided a lower level of security” that was not end-to-end encrypted at all. The company also “secretly” installed software on Mac users’, and made false claims about the security of video recordings stored in Zoom’s cloud, the FTC said.
End-to-end encryption secures communications by providing cryptographic keys to only the sender and recipient, allowing only those parties to access the secured communication. It has, in recent years, become the gold standard for consumer-level encryption. “In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised,” the agency said.
Zoom has become a go-to tool during the pandemic lockdowns, growing from 10 million users at the end of last year to between 200 million and 300 million users worldwide today, according to the FTC. During a call with press early Monday afternoon, Andrew Smith, director of the FTC’s Bureau of Consumer Protection, noted that Zoom video chats are now used for highly sensitive discussions, including business meetings and chats with healthcare providers.
In addition to allegedly deceiving users about the encryption of live video chats, the FTC said, Zoom falsely claimed that users’ video meetings saved on the company’s cloud storage would be “immediately” encrypted. The FTC said some recorded videos were instead stored unencrypted for up to 60 days before they were moved to secure storage.
Finally, the FTC claims that Zoom “secretly installed” its ZoomOpener web server on users’ machines as part of its July 2018 update for its Mac desktop app. “The ZoomOpener web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware,” the FTC said. The agency said Zoom further mislead users by failing to properly disclose
“that the app update would install the ZoomOpener web server on users’ computers, that it would circumvent a Safari browser safeguard, or that it would remain on users’ computers even after users deleted the Zoom app.”
In an emailed statement, Zoom alluded to the efforts it’s already taken to improve its security as it relates to the year-long FTC investigation, which includes a 90-day privacy and security review that CEO and founder Eric Yuan announced in early April.
“The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs,” the company said. “We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”
Under the terms of its settlement with the FTC, Zoom must perform security audits prior to any software updates, carry out annual audits of any potential “internal or external” security risks, implement a “vulnerability management program,” roll out data-deletion tools, and mitigate the use of stolen user credentials, according to the agency. Of course, Zoom is also prohibited from further deceiving or misleading users and must undergo a security audit by an independent third party every two years.
There is no financial component to this settlement; however, Linda Holleran Kopp, the lead attorney on the Zoom investigation, told reporters on Monday that the company will face “significant civil penalties if they violate the terms of the order.”