How secure is that Zoom call?
According to a settlement announced by the Federal Trade Commission this week with Zoom Video Communications, the company will have to fix flaws in its platform which gave consumers a “false sense of security.”
The settlement came after an FTC investigation which found the video conferencing provider engaged in a series of “deceptive and unfair practices that undermined the security of its users,” reports Reuters.
Some critics, including one dissenting member of the FTC board, believe Zoom needs to go further.
FTC Commissioner Rebecca Kelly Slaughter said the settlement, which includes financial penalties, “does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case.”
It “reflects a failure by the majority to understand that the reason customers care about security measures in products like Zoom is that they value their privacy,” said Slaughter.
Under the settlement, Zoom will be required to “implement a robust information security program” to replace flaws in its encryption standards.
The FTC said Zoom’s promotion of “end to end encryption” which ensures that only the members communicating on the call could have access to information—and not anyone in the company—was misleading.
“Zoom maintained the cryptographic keys that could allow [them] to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised,” the FTC said.
In fact, according to Vice, some recorded meetings were stored for two months unencrypted, leaving them vulnerable to a security breach. With the coronavirus forcing most events to be held virtually, this has put healthcare meetings, counseling sessions and even jury trials or prisoner visitation at risk.
“Zoom’s misleading claims gave users a false sense of security,” said the FTC. “Especially for those who used the company’s platform to discuss sensitive topics such as health and financial information.”
Zoom’s meeting participants have increased from 10 million in December 2019 to 300 million in April 2020, a reflection of how the platform has emerged as a dominant form of communication coronavirus pandemic.
Everything from school classes to corporate meetings and family gatherings have been held on Zoom. Even trials in court and family visitation in jails and prisons have been held over Zoom, making the need for security that much more important.
But fears about security, including sabotage and hacking which came to be known as “Zoom bombing,” emerged as the platform’s popularity grew.
The company claims these steps imposed by the FTC settlement—including establishment of a “vulnerability management” program—have already been accomplished.
According to Vice, the FTC investigation wasn’t the first time Zoom had been scrutinized. There was also a “FBI warning, letters from several senators, inquiries by numerous attorneys general and a class action lawsuit.”
Zoom is no stranger to cybercrime. With more users comes more possibility for cybercrime. In March, there were over 3,300 domains with the word Zoom in them, at least 2,000 that were identified as phishing campaigns, according to Forbes.
The settlement adds to a long list of preventative measures issued to keep users safe on Zoom, whether by protecting against ‘zoombombers,’ hackers, possible malware or in this case a security breach.
Zoom continues to uphold that they have been working to reform their security.
Their settlement with the FTC enforces their “commitment to innovating and enhancing [their] product as [they] deliver a secure video communications experience,” Vice reported.
Those who dissented in the 3-2 vote against Zoom claimed the settlement reached no conclusion for those affected by the lack of security.
Zoom will face a fine of $43,280 for every future violation of the agreement yet they aren’t required to give notice or monetary justice to those who were affected by the lack of security.
Even though Zoom admitted to not enforcing end-to-end encryption in April 2020, the FTC settlement will allow the company continue to use the encryption technology, while keeping it accountable for further security breaches.
The most recent blog post from the Zoom website shows new privacy measures for healthcare customers and workers.
Read more: The Perils of ‘Zoom Justice’
Emily Riley is a TCR reporting intern.