Announced on Monday, a settlement between video conferencing app Zoom and the FTC revealed that since 2016, Zoom had been lying about providing ‘end-to-end, 256-bit encryption’ to protect the security of users’ communication. The truth was that Zoom was actually giving users a lower level of security. As the FTC said on Monday, “Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.”
Zoom, FTC reach settlement after Zoom is caught in a big lie over encryption
But as the FTC notes, “Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom’s Connector product. On a blog post written by Zoom’s Chief Product Officer, the company finally admitted that “while we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.” The FTC also noted that the claim made last year by Zoom that its recorded meetings were stored encrypted as soon as the Meeting was over simply was not true. As it turns out, recorded Meetings were kept in Zoom’s own server unencrypted for up to 60 days before they were transferred to Zoom’s secure cloud storage where they were stored encrypted.
The Democrats on the FTC panel are not happy about the settlement since they feel that it does not punish Zoom enough for its lies. Democratic Commissioner Rebecca Kelly Slaughter said, “Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false. This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case.” However, Zoom does face lawsuits from customers and investors and these could result in the company being ordered to make financial restitution to those who were hurt by the firm’s dishonesty.
The proposed settlement that Zoom has agreed to includes beefing up its security including the use of multi-factor authentication as a way to prevent unauthorized access to the Zoom network. The settlement is open for the public to comment on it for 30 days; once that time is up, the Commission gets to vote on making it final. The 30 days begins once the settlement is published in the Federal Register. Zoom will have to notify the FTC if there are any data breaches. All software updates will need to be examined by Zoom for any security flaws. And a third-party will need to sign-off on Zoom’s security program once the settlement is finalized and for every two years after that for a total of 20 years.