The Federal Trade Commission announced on November 9 (link) an agreement with Zoom Video Communications, Inc. that will require the company to implement a robust information security program to resolve allegations that the video conferencing provider has implemented a series of deceptive and unfair practices that have undermined the security of its users.
Zoom has accepted the obligation to establish and implement a comprehensive security program (link) a ban on privacy and misrepresentation regarding security, and other detailed and specific measures to protect its user base, which has skyrocketed since 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.
In its complaint (link), the FTC said that, since at least 2016, Zoom has misled users by claiming to offer “end-to-end 256-bit encryption” to protect user communications, when in fact it provided a lower security level. End-to-end encryption is a method of securing communications so that only the sender and recipient (and no other person, not even the platform provider) can read the content.
In fact, the FTC argues, Zoom has kept cryptographic keys that could allow Zoom to access the content of its clients’ meetings and has secured its Zoom Meetings, in part, with an encryption level lower than promised. Zoom’s misleading claims have given users a false sense of security, according to the FTC’s complaint, particularly for those who have used the company’s platform to discuss sensitive topics such as health and financial information. In numerous blog posts, Zoom specifically advertised its level of encryption as the reason clients and prospects use Zoom’s video conferencing services.