20.5k unique visitors in the last 3 days

Zoom ‘Undermined’ Security of Users; Settles with FTC

The video conferencing service often boasted about end-to-end 256-bit encryption which was neither end-to-end nor 256-bit.

The Federal Trade Commission (FTC), the US consumer protection body, has announced it has negotiated a settlement with Zoom after accusing the video conferencing provider of “a series of deceptive and unfair practices that undermined the security of its users”.

The initial complaint from the FTC detailed numerous instances when Zoom misled customers about offering ‘end-to-end’ encryption which was anything but.

In fact, Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom’s “Connector” product (which are hosted on a customer’s own servers), because Zoom’s servers-including some located in China-maintain the cryptographic keys that would allow Zoom to access the content of its customers’ Zoom Meetings.

Zoom also exaggerated the strength of the encryption used, claiming to employ 256-bit encryption keys.

In fact, Zoom used a lower level of encryption for securing Zoom Meetings, AES 128-bit encryption in Electronic Code Book (“ECB”) mode.

Users were told that cloud recordings of their Zoom meetings are encrypted after the meeting has ended.

In fact, recorded Meetings are kept on Zoom’s servers for up to 60 days, unencrypted, before Zoom transfers the recordings to its secure cloud storage, where they are then stored encrypted.

The FTC also detailed the ways Zoom had worked around the security protocols implemented by Apple on their Mac computers, putting users at increased risk. In summary, the FTC’s complaint covered various deceptive security claims made by Zoom “since at least 2016”. The settlement saw Zoom committing not to make further misrepresentations about security. Zoom will also implement a security program that will:

  • assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
  • implement a vulnerability management program; and
  • deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.

The communications industry has a deservedly bad reputation for cutting corners whilst mouthing platitudes about security and privacy being a ‘top priority’. Zoom did the same in an official statement about the FTC settlement. Rather than repeating that corporate flatulence it is more pertinent to observe that a few weeks earlier Zoom issued a press release boasting about new end-to-end encryption using 256-bit keys that “not even Zoom’s meeting servers” has access to.

Repeatedly abusing customers by disrespecting their right to privacy is corrosive not just for a specific business but for the whole of society. Some FTC Commissioners said the settlement was not tough enough on Zoom, and I am inclined to agree with them.

You can read the FTC’s statement on the settlement here and their case file is here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email