Zoom has agreed to a settlement with the Federal Trade Commission (FTC) over misleading security claims.
Zoom quickly established itself at the outset of the pandemic as one of the main methods of communication and remote work. Unfortunately for the company, it also faced a number of missteps in regard to security.
In particular, the FTC took Zoom to task for claiming it offered end-to-end encryption from at least 2016, when it offered a much weaker type of security. End-to-end encryption ensures that only the sender and recipient can access the encrypted content. While Zoom claimed to offer this level of encryption, in reality, it held the keys that could allow it to decrypt meetings at will.
In addition, customers who opted to save recordings of their meetings using Zoom’s cloud storage were misled about the level of encryption Zoom provided. The company claimed the recordings were encrypted immediately. Instead, the FTC found that some recordings were left as long as 60 days without being encrypted.
“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
As part of the settlement, Zoom is prohibited from making false and misleading statements, must submit to third-party assessments, make sure updates do not interfere with third-party security security features and implement additional safeguards.