Getty Images/iStockphoto

Zoom Reaches Settlement with FTC Over Misleading Security Practices

The use of Zoom videoconferencing skyrocketed amid the COVID-19 crisis, which spotlighted several security risks and concerns. The FTC settlement will resolve the misleading security practices.

The Federal Trade Commission reached a settlement with Zoom to resolve allegations that the company engaged in misleading security practices. The use of the videoconferencing platform skyrocketed during the pandemic, particularly in the healthcare and education sectors, which spotlighted its security risks. 

The settlement requires Zoom to establish and implement a comprehensive security program and prohibits the vendor from misrepresenting its privacy and security, as well as other “detailed and specific relief to protect its user base.” 

“The Commission’s complaint alleges that Zoom made misrepresentations regarding the strength of its security features and implemented a software update that circumvented a browser security feature,” according to the FTC majority statement. “The proposed order provides immediate and important relief to consumers, addressing this conduct.” 

“The order requires that Zoom establish and implement a comprehensive security program that includes detailed and specific security measures,” they continued. “This order will enable the Commission to seek significant penalties for noncompliance. This settlement provides critical, and timely, relief.” 

There was a decided shift in the use of Zoom amid the crisis across other sectors, as well, including the education sector. Further, Zoom hosts a healthcare-specific platform, which was listed by the Office for Civil Rights as acceptable for telehealth use during the crisis.

However, the pandemic also marked a spike in targeted attacks against the platform, designed to install malware. Researchers, including Check Point, also observed a substantial number of domain registrations that included “Zoom” in the name in the first three months of the year. 

These attacks prompted further research, which found serious vulnerabilities in the Zoom platform that would allow an attacker to identify and join Zoom meetings, later dubbed “Zoombombing.”  

The platform addressed those concerns but researchers continued to find privacy risks, including automatically sharing data with Facebook, storing some recordings, unencrypted, for up to 60 days, and purporting to leverage end-to-end encryption but failing to do so across all platforms. 

Sen. Richard Blumenthal, D-Connecticut, launched an investigation into Zoom’s security practices, in response, while the company enacted a CISO Advisory Board and halted its feature development to bolster its privacy and security practices. The vendor settled with New York over similar allegations in May.

The FTC settlement is designed to remediate these concerns and strengthen Zoom’s security posture. According to the required provisions, Zoom must designate a qualified employee or employees to be responsible for the new privacy and security program. 

The privacy and security features must include safeguards for controlling internal and external risks, previously identified through a risk assessment and based on the volume and sensitivity of user information. 

Zoom must also implement a security review of all new meeting services or software updates, which must include policies, procedures, and applicable technical measures, remediation processes for vulnerabilities. 

The policies and procedures must also include technical measures for determining if any software updates circumvent or bypass any third-party feature that may inadvertently reduce the amount of protection for user information, increasing the risk of unauthorized access.  

FTC also added the requirement that Zoom not implement any new meeting services bypass security features, which will increase the risk to user information.  

Zoom must also implement a vulnerability management program, complete with vulnerability scans of all networks and systems, applicable technical measures to remediate security gaps, randomizing naming conventions for recorded meetings to be stored on users’ local devices, and data deletion policies, along with a host of other security elements. 

Further, Zoom is prohibited from misrepresenting its security features, including third-party features, and how protected information is collected, maintained, used, deleted, or disclosed. 

The vendor is also barred from misrepresenting its data protections, user privacy and security controls, categories to which third parties can access user information, and how it maintains the privacy and security of user data. 

The FTC settlement also requires Zoom to be assessed by an independent cybersecurity firm, in order to ensure the vendor is in compliance and the security program is successfully remediating risks. The agreement and monitoring will last for five years. 

“We feel it is important to put in place measures to protect those users’ privacy and security now, rather than expend scarce staff resources on speculative, potential relief that a Court would not likely grant, given the facts here,” according to the majority statement. “Our goal is a safe and secure Zoom... This case reflects the Commission’s ongoing commitment to work on behalf of consumers to respond to the panoply of new challenges presented by COVID-19.”

Next Steps

Dig Deeper on Cybersecurity strategies