While it has become as vital a tool as any during the COVID-19 pandemic, teleconferencing platform Zoom Video Communications has faced its share of privacy and security challenges as it adapted its systems to an unexpected boom to its clientele. That adaptation will now go steps further under orders from the U.S. Federal Trade Commission.
The FTC has announced a proposed settlement with Zoom related to allegations of deceptive and unfair infosecurity practices that risk users' privacy and security. The consent order calls for Zoom to devise sweeping changes to its existing information security program and prohibits the company from making privacy and security misrepresentations. Failure to reach and maintain compliance with the FTC's order could result in future financial penalties.
"The settlement we are announcing today will make Zoom take important steps to protect the privacy and security of all users for the next 20 years or face stiff penalties if they don't," FTC Bureau of Consumer Protection Director Andrew Smith said during a conference call regarding the settlement. "It will ensure the company lives up to the privacy and security promises that it makes to users so that they can make informed decisions about what video platform to use."
The FTC's investigation into Zoom began more than a year ago, according to the agency. The case took priority last spring as advocates and lawmakers called on the FTC to take a closer look at Zoom, which had its total number of users soar from 10 million in December 2019 to 300 million in April amid the pandemic.
Smith noted the consent order focuses on two key allegations. First, the FTC claimed Zoom misled consumers about its encryption practices with false statements about end-to-end encryption and the secure handling of voice recordings from Zoom meetings. The FTC's second issue stemmed from software Zoom allegedly installed onto Mac desktop computers that circumvented users' Safari browsers and left them susceptible to malware attacks.
"Zoom will have to review all new software for common security vulnerabilities and address them prior to release," Smith said. "It will have to conduct quarterly scans of its internal network and promptly remediate critical or severe vulnerabilities. They will have to implement these and other privacy and security measures while getting outside assessments of these measures."
A Zoom spokesperson said in a statement the company has already addressed the issues identified by the FTC, noting it values and respects users' trust while always making security "a top priority."
"Today's resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience," the spokesperson said.
The agreement with the FTC follows a similar settlement Zoom agreed to with New York Attorney General Letitia James in May. At that time, Zoom again said that allegations of lacking privacy and security measures were resolved via a 90-day overhaul of its programs.
FTC commissioners voted 3–2 to issue the proposed administrative complaint and accept the consent agreement with Zoom. FTC Chairman Joseph Simons joined commissioners Noah Phillips and Christine Wilson in voting to approve the settlement, while commissioners Rohit Chopra and Rebecca Kelly Slaughter dissented.
Slaughter went as far as stating the proposed settlement only mentions privacy but does little to actually address it.
"A more effective order would require Zoom to engage in a review of the risks to consumer privacy presented by its products and services, to implement procedures to routinely review such risks, and to build in privacy-risk mitigation before implementing any new or modified product, service, or practice," Slaughter wrote.
Slaughter also joined Chopra in calling for a renewed and strengthened approach to enforcing matters related to technology companies and their handling of user privacy and security.
"While deciding to resolve a matter through a settlement, regulators and enforcers must seek to help victims, take away gains, and fix underlying business incentives," Chopra wrote. "Of course, all settlements involve tradeoffs, but like other FTC data protection settlements, the FTC’s proposed settlement with Zoom accomplishes none of these objectives."
Responding to what Chopra deemed as a "status quo approach," Smith said there was plenty of strength to the order with Zoom, noting specific orders and requirements for updated practices and oversight that carried similarities to those included in the FTC's $5 billion settlement with Facebook. Smith also indicated the FTC preferred to take action in a timely manner rather than stringing its proceedings out.
"Our investigations and the investigations of any administrative agency can take a long time, and litigation takes even longer," Smith said. "Here we are providing strong, injunctive relief in a timely way while we can still use it. Had we litigated this case, we might've gotten more or different relief, but I bet we'd be having this conversation in 2022."
Photo by Chris Montgomery on Unsplash