Announced on Monday, a settlement between video conferencing app Zoom and the FTC revealed that since 2016, Zoom had been lying about providing 'end-to-end, 256-bit encryption' to protect the security of users' communication. The truth was that Zoom was actually giving users a lower level of security. As the FTC said on Monday
, "Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers' meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised."
Zoom, FTC reach settlement after Zoom is caught in a big lie over encryption
The FTC complaint chronicles the rapid growth of the company. In July 2019 it had 600,000 paid subscribers and 88% of its paid subscribers were small businesses with 10 or fewer employees. By December of 2019, 10 million people around the world were participating in a Zoom chat daily. And by the time COVID-19 hit the U.S. big time in April 2020, the number of people around the globe participating on a Zoom chat everyday had skyrocketed to a whopping 300 million.
During this amazing period of growth, Zoom made various representations about the strength of its security measures. On its websites and in its security guides Zoom said that it takes "security seriously," that it "places privacy and security as the highest priority." Zoom also made it known that "it is committed to protecting your privacy." Since 2016 Zoom has been making claims that its chats offer end-to-end encryption. One way that it did this was by placing an icon of a green padlock in the top left corner of a Zoom Meeting. When a user hovered near the icon, he or she would see a popup that read "Zoom is using an end-to-end encrypted connection."
But as the FTC notes, "Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom's Connector product. On a blog post written by Zoom's Chief Product Officer, the company finally admitted that "while we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it." The FTC also noted that the claim made last year by Zoom that its recorded meetings were stored encrypted as soon as the Meeting was over simply was not true. As it turns out, recorded Meetings were kept in Zoom's own server unencrypted for up to 60 days before they were transferred to Zoom's secure cloud storage where they were stored encrypted.
The Democrats on the FTC panel are not happy about the settlement since they feel that it does not punish Zoom enough for its lies. Democratic Commissioner Rebecca Kelly Slaughter said, "Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false. This failure of the proposed settlement does a disservice to Zoom's customers, and substantially limits the deterrence value of the case." However, Zoom does face lawsuits from customers and investors and these could result in the company being ordered to make financial restitution to those who were hurt by the firm's dishonesty.
The proposed settlement that Zoom has agreed to includes beefing up its security including the use of multi-factor authentication as a way to prevent unauthorized access to the Zoom network. The settlement is open for the public to comment on it for 30 days; once that time is up, the Commission gets to vote on making it final. The 30 days begins once the settlement is published in the Federal Register. Zoom will have to notify the FTC if there are any data breaches. All software updates will need to be examined by Zoom for any security flaws. And a third-party will need to sign-off on Zoom's security program once the settlement is finalized and for every two years after that for a total of 20 years.