Zoom is Obligated to Improve its Security Practices as Part of a Settlement
10 November 2020
10/11/2020
Technology & eCommerce Regulation in the Spotlight
On 9 November 2020, the Federal Trade Commission (“FTC“) has announced a settlement with Zoom Video Communications, Inc. (“Zoom“), over allegations of deceptive and unfair security practices, as well as undermining a browser security feature.
As part of the settlement, Zoom is required to implement a comprehensive information security program, including specific measures with regard to the deficiencies addressed in the FTC’s complaint. These include, inter alia, deployment of various safeguards, establishment of data deletion controls and internal review of any software update for possible security flaws and negative implications on third-party security features. Zoom is also prohibited from making misrepresentations of its privacy and security practices.
The FTC alleges that for at least four years Zoom misled users regarding its encryption practices. The company claimed to use “end-to-end, 256-bit encryption” while in fact it provided a lower level of security. In addition, while end-to-end encryption should only enable the sender and the recipients to access the content, Zoom maintained cryptographic keys in a manner that enabled it to access content, which sometimes includes sensitive topics such as health and finance.
In addition, according to the complaint, Zoom misled users with regard to its storage practices, by falsely claiming that recorded meetings would be encrypted immediately upon their conclusion. In fact, some recordings were allegedly stored unencrypted for sixty days, prior to their transfer to a secure location.
According to the FTC, Zoom has also compromised users’ security by secretly installing a software called “ZoomOpener“, in Apple’s Mac devices. This software was removed by Apple in July 2019. The ZoomOpener software remained on users’ devices even after deletion of the Zoom app, and in certain cases would automatically reinstall the Zoom app without any user action.
ZoomOpener allowed the Zoom app to automatically launch and add a user to a conversation, while bypassing safeguards provided to users by Apple’s Safari browser. In doing so, the software blocked a warning box that would have otherwise been presented to the users for their approval to launch the Zoom app. Due to this and in the absence of other offsetting protective measures, the risk of remote video surveillance has increased.
The FTC’s complaint also alleges that Zoom’s software update, as part of which ZoomOpener was installed, did not include adequate disclosures regarding the installation’s implications nor respective user consent.
This enforcement action demonstrates the importance of adequate disclosure of companies’ security and privacy practices, including their implications with regard to the users and third parties, as well as the regulatory scrutiny over unauthorized installations.
********************
Feel free to contact us with any further question or comments regarding the update and subjects detailed above.
Kind regards,
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation
Herzog Fox & Neeman
