By Marivic Cabural Summers, USA HERALD
November 9, 2020
Zoom Video Communication (NASDAQ: ZM) agreed to settle with the Federal Trade Commission (FTC) over its encryption to secure users’ data on its video conferencing platform.
The stock price of the company suffered a steep decline following the announcement of the settlement. ZM shares were down more than 17% to $413.24 each.
Zoom is among the tech companies that benefitted from the ongoing COVID-19 pandemic, which forced many businesses and other entities to allow their employees/staff to work from home and educational institutions to implement virtual learning.
FTC’s allegations against Zoom
The FTC alleged that Zoom engaged in deceptive and unfair privacy and security practices by claiming that its video conferencing platform is integrated with “end-to-end AES 256 bit encryption” because its users’ privacy and security its “highest priority.”
End-to-end encryption is a method of securing communications in which third-parties cannot read or modify data that are transferred from a device/system to another. The data is encrypted on the sender’s device and only the receiver can decrypt it.
According to the FTC, Zoom lied about the level of its encryption. In reality, the company is allegedly using a “lower level of encryption” to secure meetings on its platform.
The Commission alleged that the company is using AES 128-bit encryption in Electronic Code Book (ECB), contrary to its claim that it is securing users’ data using AES-256 bit encryption.
Zoom gave users a false sense of security particularly to those who are using the company’s platform to discuss sensitive issues including their health and financial information, according to the FTC.
Additionally, the FTC alleged that Zoom put the security of some users by secretly installing software called the ZoomOpener web server as part of a manual update for its Mac desktop app in July 2018.
The software allowed the company to automatically launch and join a user to a meeting by bypassing a safeguard on Apple Inc.’s (NASDAQ: AAPL) Safari browser that prevents a common type of malware.
The FTC alleged that Zoom failed to implement measures to protect users’ security and increased users’ risk of remote video surveillance by strangers.
Terms of the settlement
Under the proposed settlement, Zoom agreed to establish and implement a comprehensive security program to address the FTC’s allegations. The company must do the following:
- Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
- Implement a vulnerability management program; and
- Deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
Zoom also agreed to the FTC’s order requiring the company’s personnel to o review any software updates for security flaws and must ensure the updates will not block third-party security features.
The company also agreed that it will no longer make any misrepresentation about its privacy, security features, and practices. It also agreed to retain an independent third-party to assess its security program every other year.
In a statement, FTC Bureau of Consumer Protection Director Andrew Smith said, “During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever. Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
Zoom is still facing a class-action lawsuit filed by Consumer Watchdog, which made similar allegations against the company.