Zoom deceived customers about how secure its video calling app was, the FTC alleges.
Zoom has agreed to implement better security for its video calling platform under a settlement with the US Federal Trade Commission. The company “deceived users” by claiming to had end-to-end 256-bit encryption, the FTC alleged in its complaint.
“In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised,” the FTC said.
It also allegedly stored some recorded meetings unencrypted on its servers for up to 60 days.
Zoom’s security issues came to light when working from home became the norm under coronavirus lockdowns and restrictions. According to the FTC, its user base increased from 10 million in December last year to 300 million in April. But with “zoombombings” becoming more frequent, the video meeting company came under pressure to secure users’ connections.
“During the pandemic, practically everyone — families, schools, social groups, businesses — is using videoconferencing to communicate, making the security of these platforms more critical than ever,” Andrew Smith, FTC’s director of Consumer Protection, said in a statement. “This action will help to make sure that Zoom meetings and data about Zoom users are protected.”
The FTC’s complaint also alleged Zoom “secretly installed software” called ZoomOpener, which allowed computers to launch the app without permission from the user. This in turn “increased users’ risk of remote video surveillance by strangers,” it’s alleged.
Zoom didn’t admit or deny the allegations in the settlement, but agreed to implement a new mandated information security program within 60 days. It must also use more secure safeguards like multi-factor authentication and data deletion; document potential risks annually and ways to mitigate those risks; and implement a vulnerability management program. The video-calling company also agreed not to make misrepresentations about privacy, security and data usage. Independent security audits are required every other year.
Zoom said security “is a top priority,” and it had already begun implementing a number of the recommendations.
“We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis,” a Zoom spokesperson told CNET in an emailed statement. “Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”
Credits to Corinne Reichert