The Federal Trade Commission has announced a settlement with Zoom, after it accused the video calling giant of engaging in “a series of deceptive and unfair practices that undermined the security of its users,” in part by claiming the encryption was stronger than it actually was.
Cast your mind back earlier this year at the height of the pandemic lockdown, which forced millions to work from home and rely on Zoom for work meetings and remote learning. At the time, Zoom claimed video calls were protected by “end-to-end” encryption, a way of scrambling calls that makes it near-impossible for anyone — even Zoom — to listen in.
But those claims were false.
“In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised,” said the FTC in a statement Monday. “Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information.”
Zoom quickly admitted it was wrong, prompting the company to launch a 90-day turnaround effort, which included the rollout of end-to-end encryption to its users. That eventually months later in late October — but not without another backtrack after Zoom initially said free users could not use end-to-end encryption.
The FTC also alleged in its complaint that Zoom stored some meeting recordings unencrypted on its servers for up to two months, and compromised the security of its users by covertly installing a web server on its users’ computers in order for users to jump into meetings faster. This, the FTC said, “was unfair and violated the FTC Act.” Zoom pushed out an update which removed the web server, but Apple also intervened to remove the vulnerable component from its customers’ computers.
In its statement, the FTC said it has prohibited Zoom from misrepresenting its security and privacy practices going forward, and has agreed to start a vulnerability management program and implement stronger security across its internal network.
Zoom did not immediately respond to a request for comment.