By: Shelly Mittal
Everyone has had their share of Zoom meetings, webinars, meetups, and happy hours in 2020. Zoom’s user base skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic. The massive increase in popularity of the video conferencing platform also attracted the attention of security researchers, who discovered multiple security vulnerabilities. This discovery eventually led to an investigation by the Federal Trade Commission (FTC).
The FTC is responsible for the enforcement of Section 5 of the FTC Act, which prohibits unfair and deceptive practices in or affecting commerce. Following the media reports, the FTC launched an investigation against Zoom. The FTC’s complaint alleged that Zoom violated section 5 by falsely claiming to offer “end-to-end, 256-bit encryption” to secure user communications, when in fact it provided a lower level of encryption than promised. It did not disclose that, for most versions of its service, Zoom stored encryption keys that would also allow Zoom to decrypt user communications. Besides misleading claims about the end-to-end encryption, the FTC alleged that Zoom misrepresented the encryption status of recorded video calls stored in Zoom’s cloud service. Some recordings were allegedly stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage, which makes the data vulnerable to unauthorized access by a potential security breach.
Zoom’s allegedly false claims gave “users a false sense of security, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information,” the FTC noted. It was further alleged that Zoom compromised the security of some users when it “secretly” installed software called ZoomOpener, which allowed Zoom to launch automatically on macOS and bypass safeguards in Apple’s Safari browser. This exposed Zoom users to potential phishing and remote code execution vulnerabilities.
On November 9, 2020, the FTC announced a settlement with Zoom, requiring the company to establish and implement a comprehensive security program. The company is also “prohibited from making misrepresentations about its privacy and security practices,” including how it collects and uses customers’ personal data as well as “the extent to which users can control the privacy or security of their personal information.” As part of the settlement, Zoom is also required to have an independent third-party assessment of its security every other year and notify the FTC in the event of a data breach.
The settlement ensures that Zoom will make changes to its data security practices and obtain independent assessments of its program for 20 years after entry of the order. The specific compliance program, including the auditing process alone, creates significant technical, financial and administrative burdens for Zoom, as a reprimand. However, the provision of a comprehensive security program alleviates many of the security and privacy concerns for users going forward. Therefore, the proposed order reflects the FTC’s efforts to set tighter standards for security program assessments and impose requirements for managerial oversight. Additionally, the order says that Zoom would face fines of up to $43,280 for each future violation under the agreement. But the question is: does the settlement provide any relief to affected Zoom users? Unfortunately, the answer is no. The proposed settlement does not include any financial penalties for the company’s past practices or restitution for the affected users.
The FTC voted 3-2 to issue the proposed administrative complaint and to accept the consent agreement with Zoom. Two of the five FTC Commissioners heavily opposed the settlement, saying it was a disservice to Zoom customers. FTC Commissioner Rohit Chopra said in a statement, “Federal Trade Commission has voted to propose a settlement with Zoom that follows an unfortunate FTC formula. The settlement provides no help for affected users. It does nothing for small businesses that relied on Zoom’s data protection claims.” The company’s practices harmed consumers’ privacy interests, and a more effective order would require Zoom to address privacy risks (which, though intertwined, are different from data security risks) in its services. Despite the greater specificity in the Zoom order, Commissioner Chopra criticizes this settlement as a “status quo approach” that does not provide for direct notice or relief for Zoom’s customers.
The second dissenting FTC Commissioner, Rebecca Kelly Slaughter, also argued that the consent order should have required Zoom to improve its privacy practices (like Zoom’s inclination to prioritize some features over privacy protections), not merely its security practices, as well as provide recourse for Zoom’s paying customers. As many privacy advocates argue, the settlement feels like a message to Big Tech that they can make false claims about the security and privacy levels offered in their products without facing any real consequences for betraying the trust of their users.
The majority of Commissioners argued that the additional relief sought by dissenting Commissioners Slaughter and Chopra likely would not be approved in court, and it would delay the imposition of the injunctive relief contained in the order. However, we have seen past FTC orders, like Facebook’s, where the FTC imposed a $5 billion penalty and sweeping privacy restrictions for unfair and deceptive behavior, which were eventually upheld by the courts. Considering how the number of Zoom users skyrocketed during the pandemic, the use of the platform for sharing personal information, including health information, and the security claims by Zoom, it was justified for the public to expect, and for the FTC to grant a penalty and some restitution for its users.
Therefore, the settlement order is effective in putting companies on watch for claims about the strength of security protections in their products and services. The order sends the right message that software deployments that weaken or circumvent other security controls on users’ devices will likely receive a tough reception from the FTC. However, the absence of corporate penalties, restitution for affected users, and the lack of focus on privacy practices in the settlement raises concerns about the FTC’s efficacy as the protector of consumer interests. The dissenting opinions by Commissioner Chopra and Slaughter, though, provide hope for better enforcement efforts by the FTC to restore its credibility.