November 9, 2020
Eric Yuan's company misrepresented the security of both its videoconferencing and cloud storage, and in so doing engaged in "a series of deceptive and unfair practices that undermined the security of its users," says the FTC.
However, dissenting members of the five-member government commission said the settlement did not include sufficiently strong penalties, such as a fine. Zoom instead agreed to face fines of up to $43,280 for each future violation under the agreement.
Figure 1: Zoom has been the darling of the pandemic – even used at the White House – but the company behind it had previously lied to customers over encryption.
(Source: The White House)
During the pandemic, "practically everyone" is using videoconferencing to communicate, making platforms' security more critical than ever, says Andrew Smith, director of the FTC's consumer protection bureau.
Zoom's security practices "didn't line up with its promises," and "gave users a false sense of security", especially if they were discussing sensitive topics like their finances or health, he says.
So the proposed settlement "sends a message to all companies that they need to live up to their privacy and security promises," asserts Smith.
Video killed the E2E star
The FTC says Zoom made three sorts of misleading statements to users about security: saying that its encryption was end-to-end; the level of encryption it offered; and the time it took to store recorded meetings on an encrypted server.
First, in end-to-end encryption, only the communicating users can access the cryptographic keys needed to decrypt a conversation. This should prevent eavesdropping from telecom providers and the providers of the service.
However in this case, the providers of the Zoom platform kept a copy of the cryptographic keys that could allow it to access the content of its customers' meetings.
In actuality, therefore, content was only encrypted between each participant and Zoom's servers.
This isn't really end-to-end, but just end-to-somewhere-in-the-middle.
Zoom finally began offering true end-to-end encryption to both free and paying users in October, as a feature users can activate.
The announcement came during its annual Zoomtopia user conference, which it held virtually on October 14 and 15.
Users of the free product wanting to use end-to-end encryption will need to participate in a one-time verification process.
End-to-end encrypted conversations will then have a dark padlock on top of a green shield icon, in the screen's upper left corner. Users using Zoom's standard GCM (Galois/Counter Mode) encryption will instead see a checkmark there.
Second, since at least 2015, Zoom made "numerous and prominent claims" it encrypted Zoom meetings with a 256-bit encryption key, the FTC's original complaint says.
But in fact, Zoom used a lower level of encryption, with 128-bit instead of 256-bit keys.
The difference between the two levels corresponds to the standards the US government allows for top secret versus secret communications.
And third, Zoom told users who wanted to store recordings of meetings on its cloud storage that the files would be encrypted immediately.
In fact they were stored unencrypted for up to 60 days on unencrypted servers first, says the FTC.
In addition, Zoom secretly installed software which bypassed Apple Safari browser safeguards, as part of a July 2018 update for Mac desktop users, says the FTC.
This software, called a ZoomOpener web server, bypassed safeguards that protected users from downloading malware, and increased risks that users would face remote video surveillance by strangers, even after deleting the Zoom app.
Apple removed the ZoomOpener server from users' computers through a July 2019 automatic update.
"I am concerned that Zoom simply thought that the FTC's law enforcement inquiry wasn't serious. That's probably why the company didn't even bother to disclose the agency's inquiry to its investors," says Chopra.
Want to know more about security? Check out our dedicated security channel here on Light Reading.
The company "seemed to guess that the FTC wouldn’t do anything to materially impact their business. Sadly, for the public, they guessed right," he says.
And the settlement doesn't require Zoom to offer "redress, refunds, or even notice to its customers that material claims regarding the security of its services were false," says Slaughter.
About the Author(s)
You May Also Like
5G Network Automation and AI at Global Megaevents: A Telco AI-at-scale case study with Ooredoo and EricssonOct 10, 2023
5G Transport & Networking Strategies Digital Symposium.Oct 26, 2023
Improve Service Efficiency in the Call Center and Field with Slack AutomationOct 13, 2023
Open RAN Evolution Digital Symposium Day 1Jul 26, 2023