Zoom has decided to ‘settle’ with the Federal Trade Commission (FTC) and will be upping security measures on its video calls after being accused of engaging in “a series of deceptive and unfair practices that undermined the security of its users” by claiming that its encryption was stronger than it actually was.
Zoom had claimed in the past that its video calls were protected by end-to-end encryption and that scrambled calls making it “near-impossible” for anyone, even Zoom, to listen in. FTC has alleged that those claims are false.
“In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised,” said the FTC in a statement.
“Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information,” the statement added.
Also Read: Zoom brings end-to-end encryption, YouTube live streaming on Android
The FTC complaint also alleges that Zoom secretly installed software called ZoomOpener, which allowed computers to launch the app without permission from the user. This in turn "increased users' risk of remote video surveillance by strangers," FTC alleged.
“The ZoomOpener web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware. Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app,” FTC explained in the statement.
The FTC called this move “unfair” and said that it “violated the FTC Act”. Zoom pushed out an update which removed the web server, but Apple intervened as well to remove the vulnerable component from its customers’ computers.
The FTC also alleged that Zoom “stored some meeting recordings unencrypted on its servers for up to two months.
Also Read: Zoom to roll out end-to-end encryption in 4 phases
In its statement, the FTC has prohibited Zoom from misrepresenting its security and privacy practices going forward, and Zoom has agreed to start a vulnerability management program and implement stronger security across its internal network.
Zoom spokesperson Colleen Rodriguez said in a statement sent out by the company’s external crisis communications firm Sard Verbinnen that Zoom had “already addressed the issues identified by the FTC”.
According to CNET, Zoom has not admitted nor denied the allegations in the settlement, but has agreed to implement a new mandated information security program within 60 days.
As per the ‘settlement’, Zoom must use more secure safeguards like “multi-factor authentication and data deletion, document potential risks annually and ways to mitigate those risks, and implement a vulnerability management program”.
Also Read: Zoom says obscene ‘Bombings’ aren’t its fault under the law
Zoom has also agreed not to make misrepresentations about privacy, security and data usage and independent security audits are going to be required every other year.
Responding to this, Zoom has said security is “top priority," and that it had already begun implementing a number of the recommendations.
"We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis. Today's resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience,” a Zoom spokesperson told CNET in an emailed statement.
Catch all the Latest Tech News, Mobile News, Laptop News, Gaming news, Wearables News , How To News, also keep up with us on Whatsapp channel,Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.