Consumer Protection/FTC Advisory: Three Key Takeaways from the FTC’s Settlement with Zoom | Alston & BirdNovember 20, 2020
With this year’s sudden, exponential increase in the use of Zoom came concerns, then allegations, of poor security – and not just Zoombombing. Our Consumer Protection/FTC Team investigates the Federal Trade Commission’s complaint and eventual settlement with Zoom and outlines three takeaways for the direction of FTC enforcement.
- FTC complaint alleged Zoom made deceptive claims about its poor security
- The consent order and the two dissenting commissioners’ statements
- 3 takeaways for companies to consider
The Federal Trade Commission (FTC) recently announced a settlement with Zoom Video Communications Inc., the company that provides the well-known video conferencing platform Zoom, to settle allegations that the company engaged in a series of deceptive and unfair practices that undermined the security of its users. The vote to approve the settlement was a 3–2 split along party lines, with the three Republicans voting in favor of the settlement and the two Democrats voting against.
The complaint alleges that Zoom made deceptive representations about its encryption practices since at least 2016. Zoom claimed in blog posts, in the Zoom app, on the Zoom website, and in other Zoom documentation that it uses “end-to-end” encryption and repeated these claims to customers that asked questions about Zoom’s security practices. However, Zoom acknowledged in April 2020 that its services were generally incapable of end-to-end encryption. Zoom also claimed to use 256-bit encryption, but according to the complaint used weaker 128-bit encryption. The complaint also alleged that although Zoom claimed to store recordings of meetings in Zoom’s cloud storage in an encrypted format, it actually stored them in an unencrypted format for 60 days on Zoom’s servers before transferring them to the cloud to be stored in an encrypted format.
According to the FTC, Zoom also unfairly circumvented third-party privacy and security safeguards and deceptively failed to disclose that a July 2018 update would install a local hosted web server (called “ZoomOpener”). More specifically, Zoom updated its Mac application in a way that allowed Zoom to directly launch a Zoom meeting when the Safari user clicked a link without the user receiving the typically required additional prompt to either allow or cancel the launch. Users could therefore inadvertently click a link that opened a Zoom meeting without their permission, which would in turn activate the user’s webcam without their knowledge. Furthermore, according to the FTC, ZoomOpener installed software updates without properly validating that the updates were downloaded from a trusted source, putting some users at risk of remote-control execution attacks or local denial of service attacks. ZoomOpener would also remain on a user’s system even if a user uninstalled the Zoom application using standard instructions and would automatically reinstall the application if the user later…