The Federal Trade Commission (FTC) has announced a settlement with Zoom, Inc. stemming over allegations that the videoconferencing company “engaged in a series of deceptive and unfair practices that undermined the security of its users.”
In its complaint, the FTC alleged that, since at least 2016, Zoom misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security. End-to-end encryption is a method of securing communications so that only the sender and recipient(s)—and no other person, not even the platform provider—can read the content.”
In reality, the FTC alleged, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.
“Zoom’s misleading claims gave users a false sense of security,” according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information. In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services, the FTC said.
As such, Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.
Indeed, in March at the onset of the pandemic, the Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) announced it will not impose penalties for noncompliance with HIPAA regulations against providers leveraging telehealth platforms that may not comply with the privacy rule during the COVID-19 pandemic. This change has allowed patients and providers for all types of healthcare to connect over non-public facing video platforms such as Skype, Zoom, and FaceTime throughout the national emergency.
“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
A recent report on Zoom for healthcare from KLAS Research found that with an overall satisfaction score of 80.8 out of 100.0, Zoom rates just slightly below the average of all software solutions KLAS measures. While many clients are satisfied with how quickly they were able to get Zoom up and running, some see it as just a stopgap solution and are ultimately looking for something with more healthcare-specific functionality. The report further concluded that security “is a concern for some,” and “Zoom experienced some issues early with security.”
According to the FTC’s complaint, Zoom also misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.
The FTC also alleged that the company compromised the security of some users when it secretly installed software, called a ZoomOpener web server, as part of a manual update for its Mac desktop application in July 2018. The ZoomOpener web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware. The complaint alleges that Zoom did not implement any offsetting measures to protect users’ security, and increased users’ risk of remote video surveillance by strangers.
As part of the proposed comprehensive information security program, Zoom must take specific measures aimed at addressing the problems identified in the complaint. For example, it must:
- assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
- implement a vulnerability management program; and
- deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
In addition, Zoom personnel will be required to review any software updates for security flaws and must ensure the updates will not hamper third-party security features. Under the proposed settlement, Zoom is also prohibited from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information, according to FTC.
