The Federal Trade Commission (“FTC”) conducted an investigation into Zoom Video Communications, Inc.’s (“Zoom”) privacy and security practices and announced a settlement agreement on November 9, 2020. As a part of the agreement, Zoom agreed to establish and implement a comprehensive security program and a prohibition on privacy and security misrepresentations.
Zoom’s popularity as a platform increased significantly as a result of the pandemic. The FTC stated that the company’s traffic went from 10 million users per day in December 2019 to 300 million daily in April 2020 at its peak.
The FTC alleged that Zoom’s claim that its video calls were protected by end-to-end encryption, was “deceptive and unfair practices that undermined the security of its users.” Zoom, according to its website and security white paper, represented that meetings that utilized computer audio was secured with end-to-end encryption, at least according to Zoom’s website. However, The Intercept reported that the encryption that Zoom uses to protect meetings was actually transport encryption, which allowed Zoom service itself to access the unencrypted video and audio content of Zoom meetings. In the complaint, the FTC claimed that Zoom’s security practices were lacking, including for some data located on servers in China.
Further, while Zoom claimed that meeting data was being safeguarded in secure cloud storage, the FTC found that recorded meetings were being kept unencrypted on Zoom servers for up to 60 days before being transferred. Further, the FTC found that Zoom’s meeting launcher left consumers vulnerable to video surveillance.
The commission itself is divided on partisan lines on the strength of this settlement. FTC Democratic Commissioner Rohit Chopra issued a dissenting statement which said “The settlement provides no help for affected users. It does nothing for small businesses that relied on Zoom’s data protection claims. And it does not require Zoom to pay a dime. The Commission must change course.” Similarly, Democratic Commissioner Rebecca Kelly Slaughter also weighed in on the inadequacy of the settlement. She said that “Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false.”
In terms of actual course correction, back in May, Zoom announced the acquisition of Keybase which they believed would help Zoom build an end-to-end encryption to scale. Zoom will also be required to delete all copies of data identified for deletion be deleted within 31 days. The comprehensive security program Zoom is required to develop and maintain will include a review for security risks in all software updates and getting third-party assessments of its security program every two years for 20 years.
Zoom issued a public response to the FTC settlement which marked the agreement as part of a larger “commitment to innovating and enhancing” their product to “deliver a secure video communications experience.”