Report: Zoom Settles FTC Charges for Misleading Users About Security Features
First, the FTC found that despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn’t support E2EE calls in the classic meaning of the word.
E2EE calls rely on establishing a call between two users and saving the cryptographic key used for encrypting the call on those two users’ devices.
But the FTC says that Zoom also kept a copy of the key for itself, as well, allowing it to intercept communications for all its customers.
Second, the FTC also found that some Zoom also didn’t encrypt recorded calls, as it claimed. Instead, recorded calls were kept unencrypted on Zoom’s servers for up to 60 days before being encrypted and transferred to a secure server, during which time Zoom and other parties could access their content.
More From the FTC:
As part of the proposed comprehensive information security program, Zoom must take specific measures aimed at addressing the problems identified in the complaint. For example, it must:
- assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
- implement a vulnerability management program; and
- deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
In addition, Zoom personnel will be required to review any software updates for security flaws and must ensure the updates will not hamper third-party security features.
Under the proposed settlement, Zoom is also prohibited from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information.
Finally, the company must obtain biennial assessments of its security program by an independent third party, which the FTC has authority to approve, and notify the Commission if it experiences a data breach.
Read the Complete FTC Statement
See Also: Full Text of Proposed Settlement
About Gary Price
Gary Price (email@example.com) is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. He earned his MLIS degree from Wayne State University in Detroit. Price has won several awards including the SLA Innovations in Technology Award and Alumnus of the Year from the Wayne St. University Library and Information Science Program. From 2006-2009 he was Director of Online Information Services at Ask.com. Gary is also the co-founder of infoDJ an innovation research consultancy supporting corporate product and business model teams with just-in-time fact and insight finding.