In this news, we discuss the Zoom to ramp up security as it enters settlement with US FTC.
Zoom has reached an agreement with the Federal Trade Commission in the United States over its “misleading” claims about end-to-end encryption. The FTC alleged in its complaint that Zoom had misled its users with the term “end-to-end encryption,” but in reality the platform was using a lower level of security. As part of the settlement, the FTC asked Zoom to expand its information security program.
Since Zoom’s adoption skyrocketed across the globe, it has been subject to various checks around the world over its marketing claims. Zoom touted last March that its platform was secured using “end-to-end encryption,” which the videoconferencing platform said is “in reference to the encrypted connection” d ‘One Zoom endpoint to another Zoom endpoint. It also means that the content cannot be decrypted while it remains in the Zoom cloud.
But FTC had mentioned in the complaint that Zoom had the cryptographic keys that could allow it to access the content of customer meetings. The term “end-to-end encryption” was mistakenly used by Zoom to describe the level of security on its platform, which was actually lower than the original E2E encryption.
These Zoom claims gave a false sense of security to thousands of users who relied on the platform not only for daily chats, but to discuss discreet information. “During the pandemic, virtually everyone – families, schools, social groups, businesses – uses video conferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, director of the Office of consumer protection from the FTC. “Zoom’s security practices did not live up to its promises, and this action will help ensure that Zoom meetings and data are protected on Zoom users.”
The FTC also alleged that Zoom stores unencrypted video conference recordings for up to 60 days and that the video conferencing platform compromised the security of several users when it “secretly” installed and used its ZoomOpener software, in July 2018. , which allowed Zoom to automatically open on macOS and bypass Apple’s anti-malware standards in the Safari browser. Although later in July, Zoom released a patch to remove this software while Apple rolled out an update to remove ZoomOpener from macOS devices.
The settlement between Zoom and FTC involves no monetary exchange but the promise that the video conferencing platform will raise security standards. FTC noted that Zoom must:
- assess and document annually any potential internal and external security risk and develop means of guarding against these risks;
- implement a vulnerability management program; and
- deploy protective measures such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and
- take steps to prevent the use of known compromised user credentials; and
- Make sure that all software updates to fix security holes are carefully reviewed so that they do not interfere with third-party functionality.
The FTC is also asking Zoom to obtain a biennial evaluation of its security program from an independent third party, which it will approve and notify the Commission in the event of a data breach.
Zoom had previously stated that its platform was end-to-end encrypted but, in fact, that was only for content on Zoom servers.
- The FTC said it had struck a deal with Zoom over its “misleading” claims.
- Zoom claimed its platform was E2E encrypted, but that meant something else.
- For now, FTC has asked Zoom to improve the security standards of its platform.