Zoom settles FTC charges for misleading users about security features

Video conferencing software maker Zoom has reached a deal today with the US Federal Trade Commission to settle accusations that it misled users about some of its security features.

The FTC said that earlier this year, during the height of the COVID-19 pandemic, Zoom had attracted users to its platform with misleading claims that its product supported “end-to-end, 256-bit encryption” and that its service would store recorded calls in an encrypted format.

However, in a complaint [PDF] filed earlier this year, the FTC’s investigators found that Zoom’s claims were deceptive.

First, the FTC found that despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn’t support E2EE calls in the classic meaning of the word.

E2EE calls rely on establishing a call between two users and saving the cryptographic key used for encrypting the call on those two users’ devices.

But the FTC says that Zoom also kept a copy of the key for itself, as well, allowing it to intercept communications for all its customers.

Second, the FTC also found that some Zoom also didn’t encrypt recorded calls, as it claimed. Instead, recorded calls were kept unencrypted on Zoom’s servers for up to 60 days before being encrypted and transferred to a secure server, during which time Zoom and other parties could access their content.

“Zoom’s misleading claims gave users a false sense of security, […] especially for those who used the company’s platform to discuss sensitive topics such as health and financial information,” the FTC said in a press release today.

“In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services,” the agency added.

In addition, the FTC said it also found that Zoom had also made an error in its software design in 2019, even before the pandemic, when it silently installed a web server on the computers of macOS users.

This web server, which wasn’t disclosed in the Zoom Mac client’s official changelog, acted as a proxy between Safari and the Zoom app to allow Safari users to open the Zoom app without triggering a security alert on their OS.

As it was argued at the time, while the server was benign, it wasn’t a secure design decision and could have been abused by third-party apps or attackers to compromise macOS systems.

Zoom promises to do better

Most of the issues Zoom agreed on today have already been fixed or implemented as part of a three-month marathon, during which Zoom leadership focused on improving the company’s security posture., which also included hiring a Chief Information Security Officer (CISO).

“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC,” a Zoom spokesperson told ZDNet. “Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”

Nonetheless, as part of its settlement with the FTC, Zoom has also promised to:

• assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
• implement a vulnerability management program;
• deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials;
• review any software updates for security flaws and must ensure the updates will not hamper third-party security features;
• not misrepresent privacy and security practices.

The settlement [PDF] didn’t include a fine.