Zoom got a stern dressing-down yesterday (Nov. 9) by the U.S. government, which said the company must implement new procedures to settle allegations by the Federal Trade Commission that the video-conferencing platform lied about its security and installed software on customers' Macs without their permission.
Zoom "engaged in a series of deceptive and unfair practices that undermined the security of its users," the FTC's official declaration (opens in new tab) said. "Zoom misled users by touting that it offered 'end-to-end, 256-bit encryption' to secure users' communications, when in fact it provided a lower level of security."
- Zoom security issues: Here's everything that's gone wrong (so far)
- Best free Zoom backgrounds
- Latest: Zoom live captions let you zone out during meetings
Zoom will be required to review its own security every year, have an external party conduct a review every other year, create a vulnerability-management program, show that it properly deletes old customer data and adds multi-factor authentication as a customer option.
"Zoom is also prohibited from making misrepresentations about its privacy and security practices," the FTC said.
Customers won't immediately see anything different about Zoom. Some of the FTC's must-do's, including Zoom's two-factor authentication (2FA), have already been put into place, and most of the other mandated changes will be going on behind the scenes.
Serious charges against Zoom
The allegations are serious and largely undisputed. Zoom boasted that it used "end-to-end encryption" when it really didn't, and it finally copped to the charge (opens in new tab) in March.
In 2018, Zoom secretly installed a web server on Macs that let websites spy on users and re-installed the Zoom meeting software even after the user had deleted the program. And it told customers that recorded meetings stored on Zoom servers would immediately be encrypted, which wasn't always true.
"In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services," the FTC press release said. "In reality ... Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers' meetings."
'No recourse for paying customers'
But Zoom won't be paying any fines, which rankled the two Democratic commissioners on the FTC's five-member board, especially since Zoom has benefited enormously from the coronavirus pandemic. All the FTC's complaints date from before the pandemic started.
"Years before the global pandemic ... the company made decisions that threatened the security and privacy of its longstanding core business customers," Commissioner Rebecca Kelly Slaughter (opens in new tab) wrote in a dissent. "Yet the Commission’s proposed settlement provides no recourse for these paying customers."
"Zoom's approach to user privacy was fundamentally reactive rather than proactive," she added. The settlement "fails to impose any requirements directly protecting user privacy. ... The reason customers care about security measures in products like Zoom is that they value their privacy."
The settlement "includes no help for affected parties, no money, and no other meaningful accountability," said Commissioner Rohit Chopra (opens in new tab) in his own dissent. "It does nothing for small businesses that relied on Zoom's data-protection claims. And it does not require Zoom to pay a dime."
"The allegations in the FTC's complaint raise questions whether Zoom’s success — and the tens of billions of dollars of wealth created for its shareholders and executives in a short period of time — was advanced through fair play," Chopra added. "We should all be questioning whether Zoom and other tech titans expanded their empires through deception."
Since the pandemic hit the U.S. in March and Zoom's usage (and share price) skyrocketed, the company has made numerous high-profile security hires, fixed the end-to-end encryption problem and added 2FA as an option.
The FTC's job is to make sure companies don't lie or overly exaggerate in their marketing, statements or practices. It doesn't have the power to make companies go beyond what they've already claimed they can do.