Zoom has been lying to users about end-to-end encryption for years, FTC says

Zoom agreed to update its security practices in an attempted settlement with the Federal Trade Commission, which claims that Zoom has been lying to users for years by claiming to offer end-to-end encryption.

“[S]At least in 2016, Zoom tricked users into claiming that it offered “end-to-end 256-bit encryption” to protect user communications, when in fact it provided a lower level of security, “the FTC said today in its announcement. his complaint against Zoom and the interim settlement. Despite the promise of end-to-end encryption, the FTC said that “Zoom has retained the cryptographic keys that could allow Zoom to access its clients’ meeting content and has its Zoom Meetings, in part, with an encryption level lower than promised. “

The FTC complaint states that Zoom said it offers end-to-end encryption in the June 2016 and July 2017 HIPAA compliance guides, intended for healthcare users of the video conferencing service. Zoom also said it offers end-to-end encryption in a January 2019 white paper, an April 2017 blog post, and direct responses to customer and prospect inquiries, the complaint states.

“In fact, Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom’s” Connecter “product (which is hosted on a client’s servers), because Zoom’s servers, including some located in China, they retain cryptographic keys that would allow Zoom to access the content of its customers’ Zoom Meetings, ”the FTC complaint states.

The FTC announcement states that Zoom also “misled some users who wanted to archive recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were not archived. encrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage. “

To resolve the allegations, “Zoom agreed to an obligation to establish and implement a comprehensive security program, a ban on false privacy and security claims, and other detailed and specific relief to protect its user base, which has grown to stars from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic, “the FTC said.

No compensation for affected users

The deal is backed by the FTC’s Republican majority, but Democrats on the committee have opposed it because the deal doesn’t provide for user fees.

“Today, the Federal Trade Commission voted to propose a deal with Zoom that follows an unfortunate FTC formula,” said FTC Democratic Commissioner Rohit Chopra. “The deal does not provide any help to affected users. It does nothing for small businesses that have relied on Zoom’s data protection claims. And it doesn’t require Zoom to pay a dime. The Commission has to change course.”

Under the agreement, “Zoom is not required to offer compensation, refunds or even notice to its customers that material claims regarding the safety of its services were false,” said Democrat Commissioner Rebecca Kelly Slaughter. “This failure of the proposed solution does Zoom’s customers a disservice and substantially limits the deterrence value of the case.” Although the agreement imposes security obligations, Slaughter said it does not include requirements that directly protect user privacy.

Zoom is separately addressing lawsuits from investors and consumers that could eventually lead to financial deals.

The Zoom / FTC deal doesn’t actually enforce end-to-end encryption, but Zoom last month announced it is rolling out end-to-end encryption in a technical preview to get feedback from users. The transaction requires that Zoom implement measures “(a) requiring users to protect their accounts with complex and unique passwords; (b) using automated tools to identify non-human login attempts; (c) limiting the frequency of login attempts to minimize the risk of a brute force attack and (d) implement password reset for known compromised credentials. “

FTC calls ZoomOpener unfair and deceptive

The complaint and FTC agreement also covers the controversial ZoomOpener Web server implementation that bypassed Apple’s security protocols on Mac computers. Zoom “secretly installed” the software as part of a Zoom for Mac update in July 2018, he said. said the FTC.

“The ZoomOpener web server allowed Zoom to automatically start and join a user in a meeting by bypassing an Apple Safari browser protection that protected users from a common type of malware,” FTC said. “Without the ZoomOpener web server, the Safari browser would have provided users with a warning window, before launching the Zoom app, asking users if they wanted to launch the app.”

The software “increased the risk of remote video surveillance users from strangers” and “remained on users’ computers even after deleting the Zoom app, and under certain circumstances would automatically reinstall the Zoom app, without any action from part of the user, “the FTC said. The FTC claimed that Zoom’s implementation of the software without adequate notice or user consent violated US law prohibiting unfair and deceptive business practices.

Amid controversy in July 2019, Zoom released an update to completely remove the web server from its Mac application, as we reported at the time.

Zoom accepts security monitoring

The proposed transaction is subject to public comment for 30 days, after which the FTC will vote on whether to make it final. The 30-day comment period will begin once the transaction is published in the federal register. The FTC case and relevant documents can be viewed here.

The FTC announcement states that Zoom has agreed to take the following steps:

• Assess and document any potential internal and external security risks on an annual basis and develop ways to protect against such risks;
• Implement a vulnerability management program; is
• Implement safeguards such as multi-factor authentication to protect against unauthorized access to your network; institute controls on the deletion of data; and take steps to prevent the use of compromised known user credentials.

The data deletion portion of the transaction requires that all copies of the data identified for deletion be deleted within 31 days.

Zoom will need to notify the FTC of any data breach and will be prohibited from “making false statements about its privacy and security practices, including how it collects, uses, stores, or discloses personal information; its security features; and extent to which users can control the privacy or security of their personal information, “the FTC announcement reads.

Zoom will need to review all software updates for any security flaws and make sure the updates do not impede third-party security features. The company will also need to obtain third-party evaluations of its security program once the agreement is finalized and once every two years thereafter. This requirement lasts for 20 years.