Zoom rapped over historic security practices

Videoconferencing provider Zoom will be required to implement further measures to ensure the security of its service, and has been prohibited from making misrepresentations about its privacy and security, in a settlement with the United States Federal Trade Commission (FTC) over historic malpractice.

The FTC said Zoom engaged in a series of “deceptive” and “unfair” practices that undermined the security of its user base, which has grown dramatically during the pandemic. At the tail end of 2019 Zoom booked 10 million daily participants in Zoom meetings, and this had risen to 300 million as of April 2020.

“During the pandemic, practically everyone – families, schools, social groups and businesses – is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.

“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” said Smith.

The FTC’s complaint alleged that Zoom misled users by saying it offered end-to-end, 256-bit encryption, when this was not the case – in reality Zoom maintained the cryptographic keys that could have allowed it to access user-generated content and secured its meetings in part with a lower level of encryption than promised.

The FTC said this created a false sense of security among users, particularly among those who may have used the service to, for example, discuss sensitive business topics, financial matters, or health.

It said Zoom also misled users who wanted to store record meetings using Zoom’s cloud storage by claiming that those meetings were encrypted immediately the session ended, when in fact some recordings were stores unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.

The complaint also alleged that Zoom compromised the security of Mac users by secretly installing its ZoomOpener web server software on their machines during a manual update for its Mac desktop app in 2018. This software allowed it to automatically launch and join users to a meeting by bypassing a safeguard in Apple’s Safari web browser that was designed to protect users from malware by confirming they wanted to proceed with a pop-up warning.

This part of the complaint alleges Zoom did not itself implement any offsetting measures to protect user security, and in doing so may have increased the risk of remote video surveillance by malicious actors.

Furthermore, ZoomOpener remained installed on Mac computers even if the user deleted Zoom itself and could even reinstall Zoom in certain circumstances. The ZoomOpener web server has since been removed by an automatic Apple update that dropped in July 2019, but the FTC believes deploying it in the first place without adequate notice or user consent was unfair and violated the FTC Act.

Zoom will now be made to set-up a comprehensive information security programme and implement specific measures to address the problems named in the FTC’s complaint.

These include to assess and document annually internal and external risks and develop safeguards against them; to implement a vulnerability management programme; to deploy safeguards such as multi-factor authentication, institute data deletion controls, and take steps to prevent the use of known compromised user credentials; and to review any future software updates for security flaws and ensure updates do not break any third-party security measures.

It will also have to submit to biennial assessments of its security programme by an independent third-party auditor, which the FTC has the authority to approve.