Zoom Gets An FTC Wrist Slap For Misleading Users On Security, Encryption

from the not-really-encrypted dept

In many ways, Zoom is an incredible success story. A relative unknown before the pandemic, the company’s userbase exploded from 10 million pre-pandemic to 300 million users worldwide as of last April. One problem: like so many modern tech companies, its security and privacy practices weren’t up to snuff. Researchers found that the company’s “end-to-end encryption” didn’t actually exist. The company also came under fire for features that let employers track employees’ attention levels, and for sharing data with Facebook that wasn’t revealed in the company’s privacy policies.

While the company has taken great strides to improve most of these problems, the company received a bit of a wrist slap by the FTC this week for misleading marketing and “a series of deceptive and unfair practices that undermined the security of its users.” A settlement (pdf) and related announcement make it clear that the company repeatedly misled consumers with its marketing, particularly on the issue of end-to-end encryption:

“In reality, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers? meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised. Zoom?s misleading claims gave users a false sense of security, especially for those who used the company?s platform to discuss sensitive topics such as health and financial information.

The FTC also criticized Zoom for storing some meeting recordings unencrypted in the cloud for up to two months, despite marketing claims that meetings would be encrypted immediately following session completion. The agency also criticized Zoom for bypassing Safari malware detection when it installed ZoomOpener web server software as part of a Mac desktop application update in July 2018:

“Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app. The complaint alleges that Zoom did not implement any offsetting measures to protect users? security, and increased users? risk of remote video surveillance by strangers. The software remained on users? computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app?without any user action?in certain circumstances.”

The settlement itself isn’t much of one. As part of it, Zoom simply has to “establish and implement a comprehensive security program” and adhere to “a prohibition on privacy and security misrepresentations,” stuff the company insists it has already done. The settlement doesn’t come with any meaningful financial penalties or consumer compensation of any kind, resulting in some dissenting Democratic Commissioners (like commissioner Rebecca Kelly Slaughter) arguing it wasn’t really much of a settlement at all:

“Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false. This failure of the proposed settlement does a disservice to Zoom?s customers, and substantially limits the deterrence value of the case.”

Again, Zoom should be applauded for the fact that the company has taken many concrete steps to improve things sense reports first surfaced that its privacy and security standards weren’t up to snuff. But it’s not clear that the FTC, arriving late to the party and “requiring” the company do a bunch of things it had already accomplished, really acts as much of a deterrent for the long line of companies that phone in their privacy and security standards. Especially when most of them get far less (if any) attention for similar behavior, in part because the FTC routinely lacks the resources to seriously police privacy at any real scale.

Filed Under: , , ,
Companies: zoom

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Zoom Gets An FTC Wrist Slap For Misleading Users On Security, Encryption”

Subscribe: RSS Leave a comment
Anonymous Coward says:

it’s not clear that the FTC, arriving late to the party and "requiring" the company do a bunch of things it had already accomplished, really acts as much of a deterrent for the long line of companies that phone in their privacy and security standards.

1) re zoom, it doesn’t look like an FTC deterrent was required.
2) re deterrence in general, if obscenely long sentences for relatively minor crimes doesn’t deter people from (eg) stealing bread, why would greater fines work as a deterrent against companies?

The greater deterrent effect would be public shaming. And social media pretty much has that one in hand, most days.

crazy_diamond (profile) says:

How much ya wanna bet

1) DHS knew all about the holes in Zoom
2) Was all about it because even if they couldn’t hack Zoom data themselves, LE could intimidate Zoom into giving them whatever they want
3) We’ll never know about any of it due to parallel construction and other government fuckery

Fines and "penalties" won’t do anything against these beasts; if you use them, you’re part of the problem.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...