Zoom’s security practices simply didn’t line up with its claims, FTC found in its investigation. The video conferencing major made several misleading claims about its video and audio calling and lied to users about encryption of calls. The tech titan has reached a settlement with the FTC and agreed to implement a mandated information security program and third-party assessment. Under the new agreement, the company also faces fines of up to $43,280 for future violations.
Just when you thought Zoom had overcome the security headwinds, the video conferencing giant has now reached an agreementOpens a new window over a complaint filed by the Federal Trade Commission (FTC). As per the FTC order, Zoom agreed that it failed to secure the customer calls with  end-to-end encryptionOpens a new window and misled users about it. The FTC orderOpens a new window details how users were told that recorded calls were immediately encrypted, which was not the case. Before being moved to secure servers, the recordings remained unencrypted for nearly 60 days.
The complaintOpens a new window alleged that Zoom misled its users over the adoption of security practices since 2016. A press release by the FTC went on to say that the video conferencing provider “engaged in a series of deceptive and unfair practices that undermined the security of its users.â€
Zoom achieves a crucial rite of passage among the tech titans in the valley of silicon: a consent decree with the FTC for deceptive practices and user privacy harms
— David Carroll 🗳 (@profcarroll) November 9, 2020Opens a new window
Of late, Zoom is being given the poster child treatment in the video-as-a-service space (VaaS). Data from Synergy Research Opens a new window shows that Zoom alone boosted the Q1 market for SaaS conferencing, which hit over $800 million. The report found Zoom’s Q1 market share was almost 10x the size of its nearest competitor.
Beyond the spectacular growth, the video conferencing major has been dogged by security concerns, as evidenced by the 90-day security planOpens a new window wherein it announced end-to-end encryption (E2EE) to users besides other security and privacy measures. E2EE was rolled out to customers in October. However, there are still glaring gaps that enable the platform to use the end-user’s data without consent.
Andrew Smith, director of the FTC’s Bureau of Consumer Protection said, “Zoom’s security practices didn’t line up with its promises.â€
For instance, Zoom set up ZoomOpenerOpens a new window , a web server software on users’ Mac devices without telling them. ZoomOpener is designed to bypass built-in macOS protections against malware, to automatically launch the Zoom client, which could also potentially compromise the security of users.
FTC Tells Zoom to Fix Glaring Security Holes Â
First off, FTC has prohibited Zoom “from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information,†as part of the settlement.
Secondly, Zoom will ensure a thorough review of software updates to ensure it is flawless, and that it will not affect third-party security functions.Â
The FTC has also deemed that Zoom has major security problems, made plenty of misrepresentations and requires third-party compliance assessment of its platform every two years. The assessment will be performed by an independent third party approved by the FTC.
See Also: Zooming Past Video: 5 Biggest Takeaways From Zoomtopia 2020
Finally, Zoom will establish a comprehensive infosecurity program and undertake the following steps:
- Document and assess security incidents and security risks that may potentially result in misuse, loss, theft, alteration or destruction of data. Zoom is directed to carry out such assessments annuallyÂ
- Establish a vulnerability management program wherein Zoom will conduct vulnerability scans of respondent networks on a quarterly basis. Zoom will also have to mitigate critical and high severity vulnerabilities as soon as they’re discovered but no later than 30 days after the vulnerability is discoveredÂ
- Carry out security training programs at least annuallyÂ
- Deploy multi-factor authentication (MFA) and other such preventive provisions to warrant protection against unauthorized access to its network resources and ensure leaked or compromised credentials aren’t used for logging in to users’ accountsÂ
- Establish policies, procedures and technical measures for multiple requirements stated in the agreementOpens a new window Â
Currently, the agreement is subject to public comment for 30 days. A spokesperson from Zoom told The VergeOpens a new window that the company has already addressed the issues in the FTC complaint. The agreement is effective immediately at the time of its publication on November 9Opens a new window .Â
Connecticut (D) Senator Richard BlumenthalOpens a new window believes that the agreement is “an abjectly inadequate slap on the wrist for Zoom,†with no real repercussions. He tweeted:
Zoom trampled precious privacy rights & is paying no real price. I’m eager to work with colleagues of both parties & new partners in the Biden Administration to finally pass comprehensive consumer privacy legislation.
— Richard Blumenthal (@SenBlumenthal) November 9, 2020Opens a new window
Lesley CarhartOpens a new window , Principal Industrial Incident Responder and Principal Threat Analyst at Dragos, called on for a similar agreement for Facebook. She tweeted:Â
Next do Facebook!
— Lesley Carhart (@hacks4pancakes) November 10, 2020Opens a new window
It looks like Zoom needs to brace itself for more regulatory scrutiny in the coming months. However, this can also lead to structural changes in its security posture.
Was this news helpful? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!