On November 9, 2020, the U.S. Federal Trade Commission (“FTC”) announced a proposed settlement with Zoom Video Communications, Inc. (“Zoom”), a video conferencing provider, to resolve claims that Zoom deceived users about the extent and nature of its software’s encryption and secretly installed software that circumvented a browser security safeguard.1 The proposed settlement, which is subject to public comment and final FTC approval, contains a range of injunctive relief that, according to the Majority Statement, will “ensure that Zoom will prioritize consumers’ privacy and security.” Two commissioners—Rohit Chopra and Rebecca Kelly Slaughter—dissented, saying that the proposed settlement offers no redress to affected users, does not require Zoom to pay a monetary penalty, and fails to require Zoom to address privacy as well as security concerns.
The FTC complaint alleges five counts of violations of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
First, the complaint alleges that Zoom misrepresented its use of end-to-end encryption to secure the content of the communications between participants using Zoom’s video conferencing service. End-to-end encryption is a method of securing communications where an encrypted communication can only be deciphered by the communicating parties and is intended to prevent communications from being read or modified by anyone other than the true sender and recipient. According to the FTC, Zoom misrepresented that it provided end-to-end encryption for all of its video conferencing services from at least 2016 until April 2020, when its Chief Product Officer revealed in a blog post that end-to-end encryption was generally unavailable for a “Zoom Meeting,” Zoom’s core product.
Second, the complaint alleges that Zoom misrepresented since at least June 2015 that it employed 256-bit encryption to secure Zoom meetings. According to the FTC, Zoom actually used 128-bit encryption, a lower level of encryption that provides less confidentiality protection.
Third, the complaint alleges that Zoom misrepresented that recorded Zoom meetings were stored in encrypted fashion in Zoom’s cloud storage immediately after a meeting had ended, when, in fact, recorded meetings were stored unencrypted on Zoom’s servers for up to 60 days before Zoom transferred these recordings to secure cloud storage.
Fourth, the complaint alleges that Zoom, without adequate notice or consent, installed software called ZoomOpener as part of a manual update for its Mac desktop application in July 2018 without implementing any offsetting measures to protect users’ security. According to the FTC, the software—which allowed Zoom to automatically launch, join a user to a meeting, and activate the user’s webcam unless the user had manually changed the default video settings—stayed on users’ computers even after they deleted the Zoom application. ZoomOpener bypassed an Apple Safari browser safeguard that protected users from a common type of malware, which, the complaint alleges, increased Zoom users’ risk of remote video surveillance by strangers. The complaint alleges that ZoomOpener impacted over 3.8 million U.S. consumers who had ZoomOpener secretly installed on their Mac computers.
Fifth, the complaint alleges that Zoom repeatedly misrepresented that it was updating its Mac application to implement minor bug fixes when, in reality, the update deployed ZoomOpener—the software that circumvented a Safari privacy and security safeguard and remained on users’ computers even after they had uninstalled the Zoom application.
The Settlement Order
The proposed settlement would require Zoom to create and maintain a comprehensive information security program. Specifically, it would require Zoom to: (1) refrain from misrepresenting how it collects, maintains, uses, or discloses personal information or the security features it offers; (2) document the content, implementation, and maintenance of the information security program; (3) annually assess and document any potential security risks and develop ways to protect against these vulnerabilities; (4) designate a qualified employee to oversee the information security program; and (5) obtain biennial assessments of its security program by an independent third party for the next twenty years.
These requirements are consistent with a January 2020 FTC blog post that announced the FTC’s efforts to strengthen injunctive relief imposed in consent agreements. In the January 2020 statement, the FTC asserts that it made significant improvements to its data security orders by: (1) making them more specific; (2) increasing third-party assessor accountability; and (3) elevating data security considerations to the C-Suite and Board level. The proposed settlement with Zoom implements all three of these features, mandating that Zoom maintain an information security program that specifically addresses the FTC’s allegations, requiring comprehensive assessment by a third party on a regular basis, and demanding engagement by senior management.
What the Proposed Zoom Settlement Means for You
1. FTC Injunctive Relief Includes Tailored Data Practices to Address Violations
The proposed Zoom settlement reflects the FTC’s commitment to improving the specificity of data security orders. In 2018, the Eleventh Circuit struck down an FTC data security order as unenforceably vague. In response, the FTC held a hearing in December 2018 to consider how to improve data security orders. In 2019, the FTC issued seven data security orders, seeking to increase specificity, third-party assessor accountability, and management oversight of data security.
The proposed settlement would require Zoom to implement a comprehensive information security program tailored to the alleged violations. The proposed settlement would also specifically require Zoom to: (1) establish a process for conducting a pre-release security review of its software updates to ensure that the updates do not bypass security features in third-party software; (2) implement a program to detect and remediate critical vulnerabilities in its networks; and (3) provide training on “secure software development principles” to product developers, designers, and engineers.
2. The Proposed Settlement Conforms to the FTC’s January 2020 Statement
The proposed settlement follows the framework that the FTC set forth in January 2020. First, as discussed above, the proposed settlement would require Zoom to implement specific safeguards to address the problems alleged in the FTC’s complaint. Second, the proposed settlement would increase third-party assessor accountability, as it requires Zoom to obtain biennial assessments of its security program by an independent third party for the next twenty years. Third, the proposed settlement would elevate data security consideration to the C-Suite level, requiring Zoom to designate a qualified employee to be responsible for the comprehensive information security program and to have an executive officer annually certify compliance with the settlement order. Companies facing similar charges should expect the FTC to follow through with its commitment to this framework.
3. The Commissioner Split Suggests Future Uncertainty
Democratic commissioners Rohit Chopra and Rebecca Kelly Slaughter issued separate dissenting statements, asserting that the FTC must change course to address data privacy and data security concerns going forward. Commissioner Chopra’s dissent criticized the proposed settlement for failing to provide relief for those users harmed by Zoom’s misrepresentations, including small businesses that relied on Zoom’s data protection claims. Commissioner Chopra further criticized the proposed settlement because “it does not require Zoom to pay a dime.” Commissioner Slaughter’s dissenting statement criticized the proposed settlement’s failure to impose any requirements directly protecting users’ privacy—and not just their security—while using Zoom. She would have preferred a settlement that “would require Zoom to engage in a review of the risks to consumer privacy presented by its products and services, to implement procedures to routinely review such risks, and to build in privacy-risk mitigation before implementing any new or modified product, service, or practice.”
This decision, like many others, reflects a split within the FTC along party lines, signaling that even a small change to the FTC’s makeup may have large consequences to the FTC’s approach to data privacy moving forward.
1 In re Zoom Commc’ns, Inc., No. 192-3167 (F.T.C. Nov. 9, 2020).
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.