Zoom Gets An FTC Wrist Slap For Misleading Users On Security, Encryption
from the not-really-encrypted dept
In many ways, Zoom is an incredible success story. A relative unknown before the pandemic, the company’s userbase exploded from 10 million pre-pandemic to 300 million users worldwide as of last April. One problem: like so many modern tech companies, its security and privacy practices weren’t up to snuff. Researchers found that the company’s “end-to-end encryption” didn’t actually exist. The company also came under fire for features that let employers track employees’ attention levels, and for sharing data with Facebook that wasn’t revealed in the company’s privacy policies.
While the company has taken great strides to improve most of these problems, the company received a bit of a wrist slap by the FTC this week for misleading marketing and “a series of deceptive and unfair practices that undermined the security of its users.” A settlement (pdf) and related announcement make it clear that the company repeatedly misled consumers with its marketing, particularly on the issue of end-to-end encryption:
“In reality, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers? meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised. Zoom?s misleading claims gave users a false sense of security, especially for those who used the company?s platform to discuss sensitive topics such as health and financial information.
The FTC also criticized Zoom for storing some meeting recordings unencrypted in the cloud for up to two months, despite marketing claims that meetings would be encrypted immediately following session completion. The agency also criticized Zoom for bypassing Safari malware detection when it installed ZoomOpener web server software as part of a Mac desktop application update in July 2018:
“Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app. The complaint alleges that Zoom did not implement any offsetting measures to protect users? security, and increased users? risk of remote video surveillance by strangers. The software remained on users? computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app?without any user action?in certain circumstances.”
The settlement itself isn’t much of one. As part of it, Zoom simply has to “establish and implement a comprehensive security program” and adhere to “a prohibition on privacy and security misrepresentations,” stuff the company insists it has already done. The settlement doesn’t come with any meaningful financial penalties or consumer compensation of any kind, resulting in some dissenting Democratic Commissioners (like commissioner Rebecca Kelly Slaughter) arguing it wasn’t really much of a settlement at all:
“Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false. This failure of the proposed settlement does a disservice to Zoom?s customers, and substantially limits the deterrence value of the case.”
Again, Zoom should be applauded for the fact that the company has taken many concrete steps to improve things sense reports first surfaced that its privacy and security standards weren’t up to snuff. But it’s not clear that the FTC, arriving late to the party and “requiring” the company do a bunch of things it had already accomplished, really acts as much of a deterrent for the long line of companies that phone in their privacy and security standards. Especially when most of them get far less (if any) attention for similar behavior, in part because the FTC routinely lacks the resources to seriously police privacy at any real scale.
Filed Under: end-to-end encryption, false advertising, ftc, video conferencing
Companies: zoom
Comments on “Zoom Gets An FTC Wrist Slap For Misleading Users On Security, Encryption”
wrong "sense"
that should be "since"
1) re zoom, it doesn’t look like an FTC deterrent was required.
2) re deterrence in general, if obscenely long sentences for relatively minor crimes doesn’t deter people from (eg) stealing bread, why would greater fines work as a deterrent against companies?
The greater deterrent effect would be public shaming. And social media pretty much has that one in hand, most days.
How much ya wanna bet
1) DHS knew all about the holes in Zoom
2) Was all about it because even if they couldn’t hack Zoom data themselves, LE could intimidate Zoom into giving them whatever they want
3) We’ll never know about any of it due to parallel construction and other government fuckery
Fines and "penalties" won’t do anything against these beasts; if you use them, you’re part of the problem.
Re: How much ya wanna bet
Rhetorical questions
How many lawyers zoom calls were compromised?
Were any of them notified of the issue?
Of those how many are bringing suit?
Ok.
Re: Ok.
Lets ask.
Internet.
comments/opinions/this and that.
No protections besides YOU.
And YOU have no protection of what and where its going????????
FINE.
To be able ot display anything and every thing????
How far do you want your opinion or morals to lead you???
Again, Zoom should be applauded for the fact that the company has taken many concrete steps to improve things sense reports first surfaced that its privacy and security standards weren’t up to snuff.
Sure. I will applaud them for discovering the First Rule of Holes when they were caught lying multiple times. Good on them. :/
As believed by Tech Holding, The FTC found that Zoom’s security practices didn’t match up with what it said it did. The company that dominated video conferencing made a lot of false claims about its video and audio calling and lied to users about how their calls were encrypted.