The Federal Trade Commission (FTC), the US consumer protection body, has announced it has negotiated a settlement with Zoom after accusing the video conferencing provider of “a series of deceptive and unfair practices that undermined the security of its users”.
The initial complaint from the FTC detailed numerous instances when Zoom misled customers about offering ‘end-to-end’ encryption which was anything but.
In fact, Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom’s “Connector” product (which are hosted on a customer’s own servers), because Zoom’s servers-including some located in China-maintain the cryptographic keys that would allow Zoom to access the content of its customers’ Zoom Meetings.
Zoom also exaggerated the strength of the encryption used, claiming to employ 256-bit encryption keys.
In fact, Zoom used a lower level of encryption for securing Zoom Meetings, AES 128-bit encryption in Electronic Code Book (“ECB”) mode.
Users were told that cloud recordings of their Zoom meetings are encrypted after the meeting has ended.
In fact, recorded Meetings are kept on Zoom’s servers for up to 60 days, unencrypted, before Zoom transfers the recordings to its secure cloud storage, where they are then stored encrypted.
The FTC also detailed the ways Zoom had worked around the security protocols implemented by Apple on their Mac computers, putting users at increased risk. In summary, the FTC’s complaint covered various deceptive security claims made by Zoom “since at least 2016”. The settlement saw Zoom committing not to make further misrepresentations about security. Zoom will also implement a security program that will:
- assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
- implement a vulnerability management program; and
- deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
The communications industry has a deservedly bad reputation for cutting corners whilst mouthing platitudes about security and privacy being a ‘top priority’. Zoom did the same in an official statement about the FTC settlement. Rather than repeating that corporate flatulence it is more pertinent to observe that a few weeks earlier Zoom issued a press release boasting about new end-to-end encryption using 256-bit keys that “not even Zoom’s meeting servers” has access to.
Repeatedly abusing customers by disrespecting their right to privacy is corrosive not just for a specific business but for the whole of society. Some FTC Commissioners said the settlement was not tough enough on Zoom, and I am inclined to agree with them.
You can read the FTC’s statement on the settlement here and their case file is here.