FTC Reaches 3-2 Settlement With Zoom Over Encryption, Security

The company addressed the issues, a spokesperson emailed: "We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs.”

The proposed settlement lacks relief for victims, financial penalty and “meaningful accountability,” wrote Chopra: The agency’s “status quo approach to privacy, security, and other data protection law violations is ineffective.” He recommended the agency restate “accepted legal precedent and past Commission experience through an agency rulemaking.” That would create new obligations and trigger monetary relief, he said.

Slaughter criticized the settlement for requiring only that the company “establish procedures designed to protect user security,” while failing to require changes for directly protecting user privacy. She noted the company allegedly made several false statements about its encryption practices, but the proposed order doesn’t require any action to “mitigate the impact of these statements we contend are false.”

The deal ensures the company will “prioritize” consumer privacy and security, said Chairman Joe Simons in a joint statement with Commissioners Noah Phillips and Christine Wilson. They noted Zoom must establish a comprehensive security program, and said penalties for noncompliance are “significant.” There’s no need for litigation because the deal provides “effective relief,” they wrote: “It is important to put in place measures to protect those users’ privacy and security now, rather than expend scarce staff resources on speculative, potential relief that a Court would not likely grant, given the facts.”

The agency obtained “strong, injunctive relief” against Zoom covering security and privacy issues, Consumer Protection Bureau Director Andrew Smith told reporters Monday: It addresses misrepresentations about personal information collection and disclosure, which is under the same authority the agency used to fine Facebook $5 billion. Zoom is now under order and subject to civil penalties for future misrepresentation about handling of personal information, he said. If the agency had litigated the case, it might have secured more relief, but resolution mightn't have come until 2022, he said.

The platform falsely claimed it offered end-to-end encryption, saying it stored meeting recordings in encrypted format immediately after a meeting ended, the FTC alleged. The recordings were kept on unencrypted servers up to two months before transfer to secure encrypted servers, the FTC said. The commission alleged Zoom installed software on Mac desktop computers that circumvented a security feature built into the Safari browser designed to protect users from malware, which left users vulnerable to remote video surveillance.

The FTC investigated the company for more than a year, and expanded the probe in the spring when informed of new allegations, Consumer Protection Bureau attorney Linda Holleran Kopp told journalists. The case partly originated from a complaint filed by the Electronic Privacy Information Center in July 2019 about the Zoom opener web server issue, she said. Smith noted the increased demand for services like Zoom during COVID-19: Zoom users increased from 10 million daily participants in December to 300 million by April.

The FTC complaint noted the company says it hosts servers in China. The location of security keys is relevant to the discussion about encryption, said Kopp: “Some companies and customers will have particular sensitivity if the servers are located in China.”