Zoom to implement heightened security program in settlement with the FTC
Videoconferencing platform Zoom has agreed to implement a security program as part of a settlement with the Federal Trade Commission (FTC) announced Monday.
The settlement, approved by the FTC by a vote of 3-2, requires Zoom to heighten security through creating a vulnerability management program, deploying certain safeguards including multifactor authentication and assessing and documenting new security risks and ways to protect against these risks every year.
The FTC alleged that Zoom misled users about its encryption practices, saying in the settlement that “Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.”
The FTC also alleged that the “ZoomOpener” web server, which was rolled out in 2018 and launched Zoom meetings, bypassed an Apple Safari security protocol designed to protect users from a certain kind of malware, thereby compromising the security of the user’s network. The agency further alleged that the Zoom software remained on the user’s network even after the app was deleted, potentially opening the door to remote surveillance by strangers.
Under the settlement, Zoom personnel will be required to review software updates for security vulnerabilities, including making sure updates do not impede third-party security features, and the company is prohibited from misrepresenting privacy and security practices to users. The company will also be required to allow a third party to conduct biennial assessments of its security program.
“During the pandemic, practically everyone — families, schools, social groups, businesses — is using videoconferencing to communicate, making the security of these platforms more critical than ever,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a statement on Monday. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
Zoom has been under pressure to address new security issues raised by the spike in usage of the videoconferencing platform during the COVID-19 pandemic, with the company seeing an increase in average daily participants from 10 million in December to 300 million in April.
“Zoom-bombing” quickly became a problem, with malicious actors accessing meetings and disrupting them, including through the use of pornographic or racist images and messages. Meetings struck by the offensive content include K-12 classes.
Smith said during a press call Monday that the settlement is not only meant to ensure that Zoom ramps up its protocols, but also serves as a “message to all companies that they need to live up to their privacy and security promises.”
Zoom has taken a number of steps to address the concerns, including rolling out Zoom 5.0 in April, which enabled meeting passwords by default, restricted screen-sharing during meetings, and enhanced encryption features. The company also took steps to stop sharing data with Facebook in March.
A spokesperson told The Hill on Monday that “the security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs.”
“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC,” the spokesperson added. “Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”
The FTC approved the settlement along party lines, with Democratic FTC Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissenting.
Slaughter wrote in a dissenting opinion that “when Zoom’s user base rapidly expanded, its failure to prioritize privacy and security suddenly posed a much more serious risk in terms of scope and scale.”
“This proposed settlement, however, requires Zoom only to establish procedures designed to protect user security and fails to impose any requirements directly protecting user privacy,” Slaughter wrote. “For a company offering services such as Zoom’s, users must be able to trust that the company is committed to ensuring security and privacy alike.”
Chopra had similar concerns, writing in a separate dissenting opinion that “Zoom’s alleged security failures warrant serious action. But the FTC’s proposed settlement includes no help for affected parties, no money, and no other meaningful accountability.”
Zoom previously agreed to a settlement with New York Attorney General Letitia James (D) in May, with the company agreeing to implement a data security program and conduct risk assessment reviews to check for software vulnerabilities, among other steps.
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.