On November 9, 2020, the Federal Trade Commission announced that it had entered into a “Proposed Settlement” with Zoom Video Communications, Inc. (“Zoom”) to clarify allegations that the video conferencing provider had a series of agreements has taken unfair and misleading practices that undermine the security of its user base, which according to the FTC has grown from 10 million users in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.
According to the FTC complaint, since at least 2016, Zoom has misled users by promising to offer “end-to-end 256-bit encryption” to secure users’ Zoom meetings, if indeed a lower level of encryption is provided. The FTC also alleged that Zoom had committed other unfair and misleading practices in violation of FTC law, including managing the cryptographic keys that might allow him to access the content of customer meetings and some meeting recordings unencrypted on his servers for up to two months and without disclosing that a web server has been installed on users’ computers so that they can attend meetings more quickly. The complaint states that Zoom’s misleading claims created a false sense of security for users, especially those who used the platform to discuss sensitive issues such as health and financial information.
As part of the proposed settlement, Zoom agrees to implement a comprehensive security program that includes a number of security measures including:
- Assessment and documentation of potential security risks on an annual basis and development of ways to protect against such risks;
- Implementation of a vulnerability management program;
- Provide security measures such as multi-factor authentication, introduce controls to delete data, and take measures to prevent the use of known compromised user credentials; and
- Checking software updates for security vulnerabilities and ensuring that updates do not interfere with third-party security functions.
Zoom is also prohibited from misrepresenting its privacy and security practices and is required to obtain an independent third party assessment of its security program every two years.
The FTC announced that it will shortly post a description of the consent agreement package in the federal register. The agreement will then be publicly commented on for 30 days.