Zoom has lied to users about end-to-end encryption for years, says FTC

Zoom has agreed to upgrade its security practices as part of a tentative deal with the Federal Trade Commission, which alleges Zoom has lied to users for years by claiming it offers end-to-end encryption.

“[S]since at least 2016, Zoom has misled users by touting that it offers ‘end-to-end 256-bit encryption’ to secure user communications, when in fact it offers a lower level of security, ” the FTC said in the announcement today. of its complaint against Zoom and the provisional settlement. Despite promising end-to-end encryption, the FTC said that “Zoom has retained the cryptographic keys that would allow Zoom to access the content of its clients’ meetings and has secured its Zoom meetings, in part, with a level of encryption lower than promised. “

The FTC complaint states that Zoom claimed to offer end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guides, which were intended for healthcare users of the video conferencing service. Zoom also claimed it offers end-to-end encryption in a January 2019 whitepaper, in an April 2017 blog post and in direct response to inquiries from customers and prospects, according to the complaint.

“In fact, Zoom did not provide any end-to-end encryption for any Zoom meetings that were conducted outside of Zoom’s ‘Connect’ product (which are hosted on a customer’s own servers) because the Zoom – including some located in China – maintain cryptographic keys that would allow Zoom to access the content of its clients’ Zoom meetings, ”says the FTC complaint.

According to the FTC announcement, Zoom also “misled some users who wanted to store recorded meetings on the company’s cloud storage by mistakenly claiming that those meetings were encrypted immediately after the meeting ended. From this, some recordings would have been stored unencrypted for up to 60 days. Zoom’s servers before being transferred to its secure cloud storage. “

To resolve the allegations, “Zoom has agreed to an obligation to establish and implement a comprehensive security program, a ban on false privacy and security statements, and other detailed and specific measures to protect its database. users, which rose from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic, ”the FTC said. (The figure of 300 million is the number of daily Zoom meeting participants.)

No compensation for affected users

The settlement is supported by the Republican majority in the FTC, but Democrats on the committee opposed it because the deal does not provide compensation for users.

“Today the Federal Trade Commission voted to propose a settlement with Zoom that follows an unfortunate FTC formula,” said Democratic FTC Commissioner Rohit Chopra. “The regulation does not help affected users. It does nothing for small businesses that have relied on Zoom’s data protection claims. And it does not force Zoom to pay a dime. The Commission must change. of course. “

According to the regulations, “Zoom is under no obligation to offer redress, reimbursement or even notice to its clients that the material claims regarding the safety of its services were false,” Democratic Commissioner Rebecca Kelly Slaughter said. “This failure of the proposed settlement is doing Zoom’s customers a disservice and significantly limits the deterrent value of the case.” Although the regulations impose security obligations, Slaughter said it does not include any requirements that directly protect user privacy.

Zoom separately faces lawsuits from investors and consumers that could potentially lead to financial settlements.

The Zoom / FTC regulation doesn’t actually mandate end-to-end encryption, but Zoom announced last month that it is deploying end-to-end encryption in a technical preview to get user feedback. The regulations require Zoom to implement measures “(a) requiring users to secure their accounts with strong and unique passwords; (b) using automated tools to identify non-human connection attempts; (c) rate limiting login attempts to minimize the risk of a brute force attack and (d) implementation of password resets for known compromised credentials. “

FTC calls ZoomOpener unfair and misleading

The lawsuit and FTC settlement also cover Zoom’s controversial deployment of the ZoomOpener web server that bypassed Apple security protocols on Mac computers. Zoom “secretly installed” the software as part of a Zoom for Mac update in July 2018, the FTC said.

“The ZoomOpener web server allowed Zoom to automatically launch and join a user in a meeting by bypassing Apple Safari browser protection that protected users from a common type of malware,” the FTC said. “Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, before launching the Zoom application, which asked users if they wanted to launch the application.”

The software “increased the risk of remote video surveillance of users by strangers” and “remained on users’ computers even after removing the Zoom application, and would automatically reinstall the Zoom application – without any user action – under certain circumstances, ”the FTC said. . The FTC alleged that Zoom’s deployment of the software without adequate notice or user consent violated U.S. law prohibiting unfair and deceptive business practices.

Amid the controversy in July 2019, Zoom released an update to completely remove the web server from its Mac app, as we reported at the time.

Zoom accepts security surveillance

The proposed settlement is subject to public comment for 30 days, after which the FTC will vote on whether to make it final. The 30-day comment period will begin after the regulation is published in the Federal Register. The FTC case and relevant documents can be viewed here.

The FTC announcement indicates that Zoom has agreed to take the following actions:

• Assess and document annually any potential internal and external security risk and develop means of guarding against these risks;
• Implement a vulnerability management program; and
• Deploy protective measures such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.

The data deletion portion of the regulation requires that all copies of data identified for deletion be deleted within 31 days.

Zoom will be required to notify the FTC of any data breach and will be prohibited “from making false statements about its privacy and security practices, including how it collects, uses, maintains or discloses personal information; its security features and the extent to which users can control the privacy or security of their personal information, ”the FTC announcement said.

Zoom will need to review all software updates for security vulnerabilities and ensure that updates do not interfere with third-party security features. The company will also have to have its safety program evaluated by third parties once the regulations are finalized and once every two years thereafter. This requirement lasts 20 years.

Zoom has issued the following statement regarding today’s settlement:

The safety of our users is a top priority for Zoom. We take the trust our users place in us every day seriously, especially as they rely on us to keep them connected during this unprecedented global crisis, and we are continually improving our security and privacy programs. We are proud of the progress we have made to our platform and have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in line with our commitment to innovate and improve our product while providing a secure video communication experience.