Change your shirt, fix your hair, move the piles of laundry and dishes into the backyard. Just like many people scrambling to make themselves presentable for their next video-conference meeting, Zoom has also been scrambling to make good on their claims to offer end-to-end encryption on all of their calls. Something they fervently said they had been doing for years.
In a tentative settlement agreement reached with the Federal Trade Commission (FTC), Zoom has agreed to upgrade its security practices after the FTC declared that Zoom lied to users for years by claiming it offered E2EE when it actually did not.
Alleging that Zoom engaged in “unfair and deceptive practices that undermined the security of its users”, the FTC claimed that since before 2016 “Zoom misled users by touting that it offered 'end-to-end, 256-bit encryption' to secure users' communications, when in fact it provided a lower level of security." In a November announcement, the FTC said "Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers' meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised."
Zoom’s popularity surged in April 2020 to nearly 300 million users per day, up from 10 million in December 2019, making it a target for hackers and resulted in zoom bombings, Phishing scams, and Malware-embedded installations. There is good reason why it took off while other platforms have essentially been forgotten – it’s easy to set up and use and it’s free. It has become the go-to platform for doctors assessing patients, teachers instructing students, yoga instructors vibing with followers, and businesses conducting daily operations. But, Zoom’s main selling point was its security.
In the complaint filed in March 2020, the FTC said that Zoom had been publicly claiming on many mediums that it offered E2EE. Finally, Zoom had to admit that its touted "end-to-end" encryption was not as it seemed and then the company announced that it had plans to purchase a small New York City startup called Keybase to quickly deploy E2EE for their meetings.
More controversy ensued when Zoom announced that E2EE would only be available for paid users. Then, after intense backlash, they further announced that, okay, okay, all users will have E2EE in their meetings.
Ahead of the FTC’s settlement announcement, Zoom casually released a white paper in June outlining their plan to address some customer feedback by beefing up their privacy and security policies and offering E2EE. The 24-page report lays out a four-phase long-term roadmap for developing E2EE security. "The current design provides confidentiality and authenticity for all Zoom data streams, but it does not provide “true” end-to-end (E2E) encryption as understood by security experts due to the lack of end-to-end key management.” Coincidentally, these were the same demands presented in the FTC's court order just a few weeks earlier.
The FTC settlement requires that Zoom establish a program for resolving privacy vulnerability and security flaws including conducting regular code reviews and yearly penetration tests. The details are as follows:
The FTC also prohibits Zoom from making misrepresentations about its privacy and security practices, including how it collects, uses, maintains, or discloses personal information, its security features, and the extent to which users can control the privacy or security of their personal information.
According to a blog post published by Consumer Reports in April 2020, it appears that Zoom isn’t the only privacy-offending video-conferencing platform. Cisco Webex, Microsoft Teams and Skype, and Google's Duo, Meet, and Hangouts also have questionable privacy policies. Cicso, Microsoft, and Google all have the ability to collect data while you are in a video conference.
Having meeting participants sign in using passwords and utilizing two-factor authentication is highly recommended, and it's also recommended that users join Zoom meetings through their web browser over the desktop software, as the browser version receives security updates faster.
While the settlement doesn't impose any financial consequences on Zoom, it will open them up to future lawsuits (some have already been filed) and those will have a higher chance of success now that the FTC has confirmed that they mislead consumers.
Like its stock prices, Zoom's user base has only taken a small and momentary hit, but making good on their security claims while under the intense scrutiny and pressure of the FTC and 300 million users may mean that their scrambling will continue for a while.
