On November 9, 2020, the Federal Trade Commission (FTC) announced a proposed settlement with Zoom Video Communications, Inc. (Zoom). The FTC alleged in its complaint that Zoom engaged in both deceptive and unfair trade practices under the Federal Trade Commission Act relating to the security of its services and claims it made about that security.
Reading through the complaint and settlement, I’m reminded of the line from Marvel’s Spider Man, “with great power there must also come great responsibility.” As the world moved to remote work, telehealth, and social connections in response to COVID-19, Zoom experienced sky-rocketing growth, growing from 10 million users to more than 300 million. Unfortunately for Zoom, this growth was accompanied by intense public scrutiny of its data practices, including by the FTC.
The FTC alleged that Zoom engaged in numerous deceptive statements regarding privacy and security measures relating to its service. Zoom claimed to offer end-to-end AES 256-bit encryption of videoconference conferences between meeting hosts and participants. Some of these statements were made in the context of promoting its videoconferencing services to health organizations considered “covered entities” under the Health Insurance Portability and Accountability Act (“HIPAA”), which obligates those health organizations to certain security standards. The FTC claimed that, in reality, Zoom did not offer end-to-end encryption for products hosted on Zooms’ servers because Zoom maintained cryptographic keys that would allow Zoom to access its customer data. Zoom claimed in a later press conference that it had “a discrepancy” between the commonly accepted definition of the term and how Zoom used it. Zoom also used a lower level of encryption for videoconference meetings of only AES 128-bit encryption, which provides a lower level of security than promised.
The FTC further alleged that Zoom deceptively stated that meeting hosts with paid accounts could store conference recordings in Zoom’s cloud storage, where they were would be encrypted. Zoom claimed that such recordings would be stored “after the meeting has ended,” but these recordings were kept on Zoom’s servers, unencrypted for up to 60 days before being transferred to encrypted storage.
The FTC’s unfairness claims relate to alleged circumvention of Safari controls by Zoom’s installation of a web server called “ZoomOpener.” These claims echo a similar basis for claims by the FTC against Google for bypassing default Safari cookie settings. The FTC alleged that ZoomOpener”was installed “without adequate notice and consent” and bypassed Safari web browser’s privacy and security controls without any compensating security measures. Safari’s privacy and security controls are designed to prompt a user that clicks on a link to confirm the user intends to open an app or to cancel and prevent an app from launching.
Because Zoom bypassed these controls, the FTC claimed that a user would automatically be joined to a Zoom meeting with webcam’s activated by default without realizing and after leaving the website would not be exited from the meeting or have webcams turned off. A user could also click on malicious code or otherwise inadvertently launch Zoom, and, by default, the user’s webcam would be turned on and “could expose consumers to remote video surveillance by strangers.” With the app open, some users could also be exposed to potential “Remote Control Execution (RCE) attacks” that would allow other software downloads and installations on the user’s computer and local denial of service (“DOS”) attacks that could cause a user’s machine to lock up. The FTC further claimed that if a Mac user deleted the Zoom App using Apple’s instructions for removing apps that the ZoomOpener web server software would remain installed and would cause the Zoom App to secretly reinstall.
The FTC also noted that Zoom failed to:
implement a training program on secure software development practices;
test, audit, assess, or review its applications for security vulnerabilities at certain key points, such as prior to releasing software updates, including failing to ensure that its software is free from commonly known or reasonably foreseeable attacks, such as “Structured Query Language” (SQL) injection attacks and “Cross-Site Scripting” (XSS) attacks;
monitor service providers or other contractors who have access to Zoom’s network;
secure remote access to its networks and systems through multi-factor authentication or similar technology;
use readily available measures to safeguard against anomalous activity and/or cybersecurity events across all of Zoom’s systems, networks, and assets within those networks, including monitoring all of Zoom’s networks and systems at discrete intervals, properly configuring firewalls, and segmenting its networks;
implement a systematic process for incident response;
implement a systematic process for inventorying, classifying, and deleting user data stored on Zoom’s network; and
update security patches to software in its commercial environment.
Under the proposed Order, the FTC requires that Zoom implement a robust security program that resolves these security practices. Additionally, while the FTC did not mandate a specific level of encryption, it requires Zoom to refrain from making inaccurate statements about the level of security it provides to users.
Key takeaways for businesses:
1. Be diligent about implementing information security processes throughout a product’s lifecycle,
2. Design products and services to operate in line with user expectations of privacy and security
3. Understand privacy and security controls on platforms where products and services are deployed and avoid bypassing those controls at least without adequate user notice and/or consent and mitigating safeguards and
4. Refrain from making public statements about privacy and security without fully substantiating your claims and understanding common definitions of terms used to describe your safeguards.