Zoom website showing FTC enforcement on security practices

FTC Settlement Requires Zoom to Improve Its Security Practices; Measures Include a Mandatory Vulnerability Management Program

On the whole, Zoom has had a successful year in the sense that it added hundreds of millions of users and is projected to double its 2019 revenue. However, that growth did not come without substantial pains. The Federal Trade Commission (FTC) is catching up with some of the earliest of these issues, reaching a settlement with the video conferencing platform over longstanding complaints about the scope of its encryption and a 2018 incident that compromised certain Apple Safari browsers. The company will be required to make a number of significant changes to its security practices as a result of decisions that the FTC says “gave users a false sense of security.”

FTC requires major changes, but no fines

The FTC’s settlement requires that Zoom update its security practices with a comprehensive new program that includes vulnerability management, annual documentation of risks and new security safeguards such as multi-factor authentication (MFA). The company is not facing any fines under the settlement terms.

The FTC alleged that Zoom engaged in a series of deceptive and unfair practices that undermined the security of its users. The centerpiece of this case was the platform’s claims about its encryption capabilities, which dated back to 2016 and continued into the present year. Zoom had been claiming that it offered “end-to-end 256-bit encryption,” but in practice it was found to be neither of those things. Zoom retained internal access to the encryption keys used to secure video conferences, and the FTC also alleged its claim about the strength of its encryption was overstated.

The fact that Zoom employees could potentially look in on encrypted communications was troubling, but an even greater source of concern was Zoom’s routing of traffic from all over the world through web servers hosted in China. This could subject Zoom to requests for access to this information under the Chinese National Intelligence Law, which compels all parties doing business in the country to comply with these sorts of demands. Zoom voluntarily disconnected non-Chinese traffic from servers in the country earlier this year.

Some technical issues also contributed to the decision. Zoom had been claiming that stored meetings were encrypted immediately; it turns out that they could sit for up to 60 days before being encrypted and transferred to secure cloud storage. In 2018, the company also activated the ZoomOpener feature on Macintosh computers which had the ability to launch without the standard Safari warning box that requires affirmative consent from the user. ZoomOpener was removed in a July 2019 update.

In addition to making the specified updates to its security practices, Zoom is formally required to not misrepresent its security capabilities or handling of private user information. Once every two years, the company will be required to undergo an audit conducted by an independent third party appointed by the FTC to ensure it remains in compliance with all of these terms. It is also subject to strict notification requirements in the event of a data breach.

Zoom’s improved security practices

While Zoom’s primary focus has always been virtual business meetings, the COVID-19 pandemic has caused it to be adopted for all sorts of uses. Many of these involve very sensitive personal information: consultations with health care providers, virtual classes, political organizing, family get-togethers at the holidays, and more. Health and financial information are sometimes shared across the platform including more basic types of contact information and confidential company secrets.

Zoom endured a barrage of bad press due to various security mistakes over the past year, and has already voluntarily made a number of changes and improvements in response to this criticism. For example, in addition to routing data around China the company also addressed the privacy issue by rolling out a four-step plan that will add true end-to-end AES 256-bit encryption among various other new security settings. The first of these phases launched as a technical preview late last month.

Tom DeSot, EVP & CIO of Digital Defense, is of the opinion that this is a sign of further FTC intervention when security practices at big tech firms become egregiously negligent: “The fines imposed by the FTC are a prime example of the type of actions companies are going to face when they do not take security in their products seriously. Zoom unfortunately ended up being the poster child for how not to handle things when vulnerabilities are found in commercial products.”

While Zoom has taken a number of important steps to turn things around from the early days of the pandemic (when a number of news outlets were referring to it as a “privacy disaster”), the company’s security practices still have some soft spots. Zoom is considered generally safe to use at this point, but users should be aware of several “best practices” for protecting one’s personal information. One is to join meetings via a web browser rather than the Zoom desktop client or mobile app, which limits the amount of potential vulnerabilities and also allows access to the most recent security improvements. Apple users should also be aware that some security improvements, such as the new level of encryption, will lag behind for them somewhat as they are subject to a special approval process.

Another important element to be aware of is that while Zoom has added quite a few new features as part of this ongoing tuning of its security practices, many of these are not on by default. This includes the use of MFA for logins, password protection for meetings, and new tools for kicking out unwanted and disruptive “Zoom bombers” that crash meetings.