Zoom lied to customers, U.S. government says — what you need to know

Zoom lied to customers, U.Due south. authorities says — what you lot need to know

(Epitome credit: Zoom)

Zoom got a stern dressing-down yesterday (Nov. 9) by the U.Southward. government, which said the company must implement new procedures to settle allegations by the Federal Trade Commission that the video-conferencing platform lied nigh its security and installed software on customers' Macs without their permission.

Zoom "engaged in a series of deceptive and unfair practices that undermined the security of its users," the FTC's official annunciation said. "Zoom misled users by touting that it offered 'cease-to-end, 256-chip encryption' to secure users' communications, when in fact information technology provided a lower level of security."

Zoom security issues: Here's everything that's gone wrong (and so far)
Best free Zoom backgrounds
Latest: Zoom live captions let you lot zone out during meetings

Zoom will be required to review its own security every year, take an external party conduct a review every other twelvemonth, create a vulnerability-management program, show that it properly deletes old customer data and adds multi-factor authentication as a customer selection.

"Zoom is too prohibited from making misrepresentations about its privacy and security practices," the FTC said.

Customers won't immediately encounter annihilation unlike virtually Zoom. Some of the FTC's must-do's, including Zoom'due south 2-factor authentication (2FA), take already been put into place, and nigh of the other mandated changes will be going on behind the scenes.

Serious charges against Zoom

The allegations are serious and largely undisputed. Zoom boasted that it used "end-to-end encryption" when it really didn't, and information technology finally copped to the charge in March.

In 2018, Zoom secretly installed a web server on Macs that let websites spy on users and re-installed the Zoom meeting software even later on the user had deleted the program. And information technology told customers that recorded meetings stored on Zoom servers would immediately be encrypted, which wasn't always true.

"In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom's videoconferencing services," the FTC press release said. "In reality ... Zoom maintained the cryptographic keys that could let Zoom to access the content of its customers' meetings."

'No recourse for paying customers'

But Zoom won't be paying any fines, which rankled the two Democratic commissioners on the FTC'southward five-fellow member lath, peculiarly since Zoom has benefited enormously from the coronavirus pandemic. All the FTC's complaints date from before the pandemic started.

"Years before the global pandemic ... the company made decisions that threatened the security and privacy of its longstanding core business customers," Commissioner Rebecca Kelly Slaughter wrote in a dissent. "Yet the Commission's proposed settlement provides no recourse for these paying customers."

"Zoom's arroyo to user privacy was fundamentally reactive rather than proactive," she added. The settlement "fails to impose whatever requirements directly protecting user privacy. ... The reason customers care nigh security measures in products like Zoom is that they value their privacy."

The settlement "includes no aid for afflicted parties, no money, and no other meaningful accountability," said Commissioner Rohit Chopra in his own dissent. "It does nothing for small businesses that relied on Zoom'south data-protection claims. And information technology does not require Zoom to pay a dime."

"The allegations in the FTC'southward complaint raise questions whether Zoom's success — and the tens of billions of dollars of wealth created for its shareholders and executives in a short menses of time — was advanced through off-white play," Chopra added. "We should all exist questioning whether Zoom and other tech titans expanded their empires through charade."

Since the pandemic hit the U.South. in March and Zoom'southward usage (and share price) skyrocketed, the visitor has made numerous loftier-profile security hires, fixed the terminate-to-end encryption trouble and added 2FA as an choice.

The FTC's job is to make sure companies don't lie or overly exaggerate in their marketing, statements or practices. It doesn't accept the power to make companies go beyond what they've already claimed they can practise.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul commuter, code monkey and video editor. He's been rooting effectually in the data-security infinite for more 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Boob tube news spots and fifty-fifty chastened a panel discussion at the CEDIA dwelling house-technology conference. You lot tin can follow his rants on Twitter at @snd_wagenseil.