First, the FTC found that despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn’t support E2EE calls in the classic meaning of the word.
E2EE calls rely on establishing a call between two users and saving the cryptographic key used for encrypting the call on those two users’ devices.
But the FTC says that Zoom also kept a copy of the key for itself, as well, allowing it to intercept communications for all its customers.
Second, the FTC also found that some Zoom also didn’t encrypt recorded calls, as it claimed. Instead, recorded calls were kept unencrypted on Zoom’s servers for up to 60 days before being encrypted and transferred to a secure server, during which time Zoom and other parties could access their content.
More From the FTC:
As part of the proposed comprehensive information security program, Zoom must take specific measures aimed at addressing the problems identified in the complaint. For example, it must:
- assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
- implement a vulnerability management program; and
- deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
In addition, Zoom personnel will be required to review any software updates for security flaws and must ensure the updates will not hamper third-party security features.
Under the proposed settlement, Zoom is also prohibited from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information.
Finally, the company must obtain biennial assessments of its security program by an independent third party, which the FTC has authority to approve, and notify the Commission if it experiences a data breach.
Read the Complete FTC Statement
See Also: Full Text of Proposed Settlement