Zoom Gets An FTC Wrist Slap For Misleading Users On Security, Encryption

from the not-really-encrypted dept

In many ways, Zoom is an incredible success story. A relative unknown before the pandemic, the company's userbase exploded from 10 million pre-pandemic to 300 million users worldwide as of last April. One problem: like so many modern tech companies, its security and privacy practices weren't up to snuff. Researchers found that the company's "end-to-end encryption" didn't actually exist. The company also came under fire for features that let employers track employees' attention levels, and for sharing data with Facebook that wasn't revealed in the company's privacy policies.

While the company has taken great strides to improve most of these problems, the company received a bit of a wrist slap by the FTC this week for misleading marketing and "a series of deceptive and unfair practices that undermined the security of its users." A settlement (pdf) and related announcement make it clear that the company repeatedly misled consumers with its marketing, particularly on the issue of end-to-end encryption:

"In reality, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised. Zoom’s misleading claims gave users a false sense of security, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information.

The FTC also criticized Zoom for storing some meeting recordings unencrypted in the cloud for up to two months, despite marketing claims that meetings would be encrypted immediately following session completion. The agency also criticized Zoom for bypassing Safari malware detection when it installed ZoomOpener web server software as part of a Mac desktop application update in July 2018:

"Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app. The complaint alleges that Zoom did not implement any offsetting measures to protect users’ security, and increased users’ risk of remote video surveillance by strangers. The software remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app—without any user action—in certain circumstances."

The settlement itself isn't much of one. As part of it, Zoom simply has to "establish and implement a comprehensive security program" and adhere to "a prohibition on privacy and security misrepresentations," stuff the company insists it has already done. The settlement doesn't come with any meaningful financial penalties or consumer compensation of any kind, resulting in some dissenting Democratic Commissioners (like commissioner Rebecca Kelly Slaughter) arguing it wasn't really much of a settlement at all:

"Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false. This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case."

Again, Zoom should be applauded for the fact that the company has taken many concrete steps to improve things sense reports first surfaced that its privacy and security standards weren't up to snuff. But it's not clear that the FTC, arriving late to the party and "requiring" the company do a bunch of things it had already accomplished, really acts as much of a deterrent for the long line of companies that phone in their privacy and security standards. Especially when most of them get far less (if any) attention for similar behavior, in part because the FTC routinely lacks the resources to seriously police privacy at any real scale.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: end-to-end encryption, false advertising, ftc, video conferencing
Companies: zoom


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Monkey (profile), 12 Nov 2020 @ 12:32pm

    wrong "sense"

    many concrete steps to improve things sense reports first surfaced

    that should be "since"

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Nov 2020 @ 3:13pm

    it's not clear that the FTC, arriving late to the party and "requiring" the company do a bunch of things it had already accomplished, really acts as much of a deterrent for the long line of companies that phone in their privacy and security standards.

    1) re zoom, it doesn't look like an FTC deterrent was required.
    2) re deterrence in general, if obscenely long sentences for relatively minor crimes doesn't deter people from (eg) stealing bread, why would greater fines work as a deterrent against companies?

    The greater deterrent effect would be public shaming. And social media pretty much has that one in hand, most days.

    link to this | view in chronology ]

  • icon
    crazy_diamond (profile), 12 Nov 2020 @ 10:20pm

    How much ya wanna bet

    1) DHS knew all about the holes in Zoom
    2) Was all about it because even if they couldn't hack Zoom data themselves, LE could intimidate Zoom into giving them whatever they want
    3) We'll never know about any of it due to parallel construction and other government fuckery

    Fines and "penalties" won't do anything against these beasts; if you use them, you're part of the problem.

    link to this | view in chronology ]

    • identicon
      Annonymouse, 13 Nov 2020 @ 5:26am

      Re: How much ya wanna bet

      Rhetorical questions

      How many lawyers zoom calls were compromised?

      Were any of them notified of the issue?

      Of those how many are bringing suit?

      link to this | view in chronology ]

  • icon
    ECA (profile), 13 Nov 2020 @ 1:17am

    Ok.

    link to this | view in chronology ]

    • icon
      ECA (profile), 13 Nov 2020 @ 1:20am

      Re: Ok.

      Lets ask.
      Internet.
      comments/opinions/this and that.
      No protections besides YOU.
      And YOU have no protection of what and where its going????????

      FINE.
      To be able ot display anything and every thing????
      How far do you want your opinion or morals to lead you???

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Nov 2020 @ 1:05pm

    Again, Zoom should be applauded for the fact that the company has taken many concrete steps to improve things sense reports first surfaced that its privacy and security standards weren't up to snuff.

    Sure. I will applaud them for discovering the First Rule of Holes when they were caught lying multiple times. Good on them. :/

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.