Zoom to make video calls more secure after FTC accuses it of deceptive security claims
The Federal Trade Commission (FTC) has accused Zoom of deceptive and unfair practices that involved claiming their video call encryption was stronger than it actually was.
Zoom has decided to ‘settle’ with the Federal Trade Commission (FTC) and will be upping security measures on its video calls after being accused of engaging in “a series of deceptive and unfair practices that undermined the security of its users” by claiming that its encryption was stronger than it actually was.
Zoom had claimed in the past that its video calls were protected by end-to-end encryption and that scrambled calls making it “near-impossible” for anyone, even Zoom, to listen in. FTC has alleged that those claims are false.
“In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised,” said the FTC in a statement.
“Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information,” the statement added.
The FTC complaint also alleges that Zoom secretly installed software called ZoomOpener, which allowed computers to launch the app without permission from the user. This in turn "increased users' risk of remote video surveillance by strangers," FTC alleged.
“The ZoomOpener web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware. Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app,” FTC explained in the statement.
The FTC called this move “unfair” and said that it “violated the FTC Act”. Zoom pushed out an update which removed the web server, but Apple intervened as well to remove the vulnerable component from its customers’ computers.
The FTC also alleged that Zoom “stored some meeting recordings unencrypted on its servers for up to two months.
In its statement, the FTC has prohibited Zoom from misrepresenting its security and privacy practices going forward, and Zoom has agreed to start a vulnerability management program and implement stronger security across its internal network.
Zoom spokesperson Colleen Rodriguez said in a statement sent out by the company’s external crisis communications firm Sard Verbinnen that Zoom had “already addressed the issues identified by the FTC”.
According to CNET, Zoom has not admitted nor denied the allegations in the settlement, but has agreed to implement a new mandated information security program within 60 days.
As per the ‘settlement’, Zoom must use more secure safeguards like “multi-factor authentication and data deletion, document potential risks annually and ways to mitigate those risks, and implement a vulnerability management program”.
Zoom has also agreed not to make misrepresentations about privacy, security and data usage and independent security audits are going to be required every other year.
Responding to this, Zoom has said security is “top priority," and that it had already begun implementing a number of the recommendations.
"We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis. Today's resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience,” a Zoom spokesperson told CNET in an emailed statement.