Sponsored By

Zoom settles with FTC for fibbing over encryptionZoom settles with FTC for fibbing over encryption

Zoom agreed a settlement with the US Federal Trade Commission over complaints it misrepresented the security of its videoconferencing platform to users.

Pádraig Belton

November 9, 2020

5 Min Read
Zoom settles with FTC for fibbing over encryption

Zoom has agreed a settlement with the US Federal Trade Commission (FTC) after the agency said the San Jose, California-based company deceived users about its security encryption.

Eric Yuan's company misrepresented the security of both its videoconferencing and cloud storage, and in so doing engaged in "a series of deceptive and unfair practices that undermined the security of its users," says the FTC.

However, dissenting members of the five-member government commission said the settlement did not include sufficiently strong penalties, such as a fine. Zoom instead agreed to face fines of up to $43,280 for each future violation under the agreement.

Figure 1: Zoom has been the darling of the pandemic – even used at the White House – but the company behind it had previously lied to customers over encryption. (Source: The White House) Zoom has been the darling of the pandemic – even used at the White House – but the company behind it had previously lied to customers over encryption.
(Source: The White House)

During the pandemic, "practically everyone" is using videoconferencing to communicate, making platforms' security more critical than ever, says Andrew Smith, director of the FTC's consumer protection bureau.

Zoom's security practices "didn't line up with its promises," and "gave users a false sense of security", especially if they were discussing sensitive topics like their finances or health, he says.

So the proposed settlement "sends a message to all companies that they need to live up to their privacy and security promises," asserts Smith.

Video killed the E2E star

The FTC says Zoom made three sorts of misleading statements to users about security: saying that its encryption was end-to-end; the level of encryption it offered; and the time it took to store recorded meetings on an encrypted server.

First, in end-to-end encryption, only the communicating users can access the cryptographic keys needed to decrypt a conversation. This should prevent eavesdropping from telecom providers and the providers of the service.

However in this case, the providers of the Zoom platform kept a copy of the cryptographic keys that could allow it to access the content of its customers' meetings.

In actuality, therefore, content was only encrypted between each participant and Zoom's servers.

This isn't really end-to-end, but just end-to-somewhere-in-the-middle.

Zoom finally began offering true end-to-end encryption to both free and paying users in October, as a feature users can activate.

The announcement came during its annual Zoomtopia user conference, which it held virtually on October 14 and 15.

Users of the free product wanting to use end-to-end encryption will need to participate in a one-time verification process.

End-to-end encrypted conversations will then have a dark padlock on top of a green shield icon, in the screen's upper left corner. Users using Zoom's standard GCM (Galois/Counter Mode) encryption will instead see a checkmark there.

Second, since at least 2015, Zoom made "numerous and prominent claims" it encrypted Zoom meetings with a 256-bit encryption key, the FTC's original complaint says.

But in fact, Zoom used a lower level of encryption, with 128-bit instead of 256-bit keys.

The difference between the two levels corresponds to the standards the US government allows for top secret versus secret communications.

And third, Zoom told users who wanted to store recordings of meetings on its cloud storage that the files would be encrypted immediately.

In fact they were stored unencrypted for up to 60 days on unencrypted servers first, says the FTC.

In addition, Zoom secretly installed software which bypassed Apple Safari browser safeguards, as part of a July 2018 update for Mac desktop users, says the FTC.

This software, called a ZoomOpener web server, bypassed safeguards that protected users from downloading malware, and increased risks that users would face remote video surveillance by strangers, even after deleting the Zoom app.

Apple removed the ZoomOpener server from users' computers through a July 2019 automatic update.

Not fine

The FTC's five members approved the settlement by a narrow 3-2 vote, with both dissenters, Rohit Chopra and Rebecca Kelly Slaughter, arguing the settlement did not go far enough.

"I am concerned that Zoom simply thought that the FTC's law enforcement inquiry wasn't serious. That's probably why the company didn't even bother to disclose the agency's inquiry to its investors," says Chopra.

Want to know more about security? Check out our dedicated security channel here on Light Reading.

The company "seemed to guess that the FTC wouldn’t do anything to materially impact their business. Sadly, for the public, they guessed right," he says.

And the settlement doesn't require Zoom to offer "redress, refunds, or even notice to its customers that material claims regarding the security of its services were false," says Slaughter.

Meanwhile, Zoom's share price dropped by 20% in the immediate wake of Monday's announcement that the Pfizer of the US and Germany's BioNTech had developed a 90% effective coronavirus vaccine.

The shares of Amazon and Netflix also fell, while Boeing's rose.

Related posts:

Pádraig Belton, contributing editor special to, Light Reading

About the Author(s)

Pádraig Belton

Contributor, Light Reading

Contributor, Light Reading

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like