Legal Law

Zoom receives an FTC slap within the face for deceptive customers concerning safety and encryption

In many ways, Zoom is an incredible success story. Relatively unknown before the pandemic, the company's user base exploded from 10 million pre-pandemic to 300 million users worldwide last April. One problem: As with so many modern tech companies, security and privacy practices did not meet the requirements of snuff. The researchers found that the company's "end-to-end encryption" was not in place. The company has also come under fire for features that allow employers to track employee attention and share data with Facebook that was not disclosed in the company's privacy policy.

While the company has taken great strides to resolve most of these issues, the company received a slap in the face this week from the FTC for misleading marketing and "a number of misleading and unfair practices that undermine the safety of its users". A comparison (pdf) and a corresponding announcement make it clear that the company has repeatedly misled consumers in its marketing, especially with regard to end-to-end encryption:

“In reality, Zoom has retained the cryptographic keys that Zoom can use to access the content of the customer meetings and partially secured the Zoom meetings with a lower level of encryption than promised. Zoom's misleading claims gave users a false sense of security, especially those who used the company's platform to discuss sensitive topics such as health and financial information.

The FTC also criticized Zoom for keeping some meeting recordings unencrypted in the cloud for up to two months, despite Marketing claiming meetings are encrypted immediately after the session ends. The agency also criticized Zoom for bypassing Safari malware detection when it installed the ZoomOpener web server software as part of a Mac desktop application update in July 2018:

“Without the ZoomOpener web server, the Safari browser would have provided users with a warning box before starting the Zoom app, asking if they wanted to start the app. The complaint alleges that Zoom failed to take countervailing measures to protect user safety and increased users' risk of being exposed to video surveillance by strangers. The software remained on users' computers even after the Zoom app was deleted and, under certain circumstances, automatically reinstalled the Zoom app – without user action. "

The settlement itself isn't much of one. As part of this, Zoom is only required to “set up and implement a comprehensive security program” and adhere to “no privacy and security misrepresentations,” as the company has previously claimed. The deal does not entail any significant financial sanctions or consumer indemnity of any kind, leading some dissenting Democratic commissioners (like Commissioner Rebecca Kelly Slaughter) to argue that it is not a real deal at all:

“Zoom is under no obligation to offer its customers redress, reimbursement, or even notification that material claims regarding the security of its services were false. This failure of the proposed settlement is detrimental to Zoom's customers and severely limits the deterrent value of the case. "

Again, Zoom should be applauded for the fact that the company has taken many concrete steps to improve things. Meaningful reports first surfaced that its privacy and security standards did not match snuff. However, it's not clear that the FTC, late for the party and asking the company to do a number of things it has already accomplished, the long line of companies adhering to their privacy and security standards really is deterring. Especially when most of them get far less (if any) attention for similar behavior, partly because the FTC routinely lacks the resources to seriously monitor privacy in any real amount.

Zoom receives an FTC slap in the face for misleading users regarding security and encryption

More Techdirt Legal Stories:

Over time: New York Governor Cuomo signs anti-SLAPP bill
The court of appeals stripped of immunity from detectives who turned a rape report into 18 hours of terror for the victim
Trumpland has apparently just forgotten its manufactured TikTok hysteria

Related Articles