Zoom Lied about Using End-to-End Encryption: FTC Notes

In a tentative settlement with the Federal Trade Commission, Zoom has agreed to upgrade its security practices but now FTC alleges that Zoom lied to users for years by claiming that it offers end-to-end encryption.

According to FTC, since 2016, Zoom had been lying about providing ‘end-to-end, 256-bit encryption’ in order to protect the users’ communication security. The matter of the fact is that Zoom was actually giving users a lower level of security.

Zoom Lied about Using End-to-End Encryption: FTC Notes

FTC said on Monday, “Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.”

Some top allegations against Zoom are:

• On Level of Security, Misleded the Users
• Bypassed Safari Browser Security
• Notifications of Deceptive Software Release
• Risk of Video Surveillance on a high level
• Unencrypted Storage of Recordings in Cloud

FTC Notes:

“In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

The FTC alleges:

“Zoom did not implement any offsetting measures to protect users’ security, and increased users’ risk of remote video surveillance by strangers. The software remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app—without any user action—in certain circumstances. The complaint alleges that Zoom’s deployment of the ZoomOpener, without adequate notice or user consent, was unfair and violated the FTC Act.”

The FTC alleged that Zoom mislead users by claiming that it offers users of “end-to-end, 256-bit encryption”

Zoom need to provide the following security requirements:

• Biennial Third-Party Security Assessments
• Establishment of a vulnerability management program
• Zoom needs to do Annual Security Assessment
• The company should develop ways to safeguard against security risks
• Need to Create policies in order to protect against online attacks
• There is also a need to create Safeguards Against Unauthorized Access to its Network

Recommended Reading: Zoom is Rolling Out End-to-End Encryption