Federal regulators are requiring Zoom to strengthen its security in a proposed settlement of allegations that the video conferencing service misled users about its level of security for meetings.
The settlement, approved by the Federal Trade Commission in a 3-2 vote, was announced Monday. A complaint filed by the agency accused Zoom of deceiving users over security since at least 2016. It said the company held on to cryptographic keys that allowed it to access content from its customers’ meetings, and secured meetings with a lower level of privacy encryption than it promised customers.
Zoom has become a staple during the coronavirus pandemic because it allows people to meet online rather than in person. The company claims some 300 million users, boosted by the tens of millions of workers around the world who were suddenly ordered to work from home in the spring as the virus outbreak shut down wide swaths of the economy.
The FTC alleged that Zoom “engaged in a series of deceptive and unfair practices that undermined the security of its users.”
The company’s misleading claims gave users a false sense of security, the regulators said, especially for those who used the videoconferencing platform to discuss sensitive topics such as health and financial information. They noted that in blog posts, Zoom promoted its level of encryption as a reason for consumers—whether families, schools, social groups or businesses—to use the services.
The proposed settlement doesn’t include any financial penalties for the company or restitution for affected users.
Zoom Video Communications Inc., based in San Jose, Calif., would be required under the settlement to take specific measures, such as establishing a program for resolving privacy vulnerability. Company personnel would be required to review any software updates for security flaws.
Zoom said it has already addressed the problems cited by the FTC. The settlement “is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience,” the company said in a statement Monday.
“The security of our users is a top priority for Zoom,” it said. “We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs.”
The vote was 3-2 to propose the agreement, with the FTC’s two Democratic commissioners, Rohit Chopra and Rebecca Kelly Slaughter, dissenting because it doesn’t require refunds or other redress for affected customers. The proposal will be opened to public comment for 30 days, after which the agency will decide whether to make it final.
“Zoom has ‘cashed in’ on the pandemic,” Chopra said in his dissent. “Zoom stands ready to emerge as a tech titan. But we should all be questioning whether Zoom and other tech titans expanded their empires through deception. Zoom could have taken the time to ensure that its security was up to the right standards.”