In a settlement with the U.S. Federal Trade Commission over the company’s “deceptive and unfair” security practices that led to scrutiny over the popular videoconferencing platform earlier this year, Zoom is required to establish a comprehensive security program.
Zoom – which has already released new security features and hired key cybersecurity personnel after a 90-day non-security feature freeze in response to concerns over meeting hijacking – has agreed to document potential security risks and develop ways to protect against those risks, implement a vulnerability management program and deploy security controls like multi-factor authentication and data deletion controls.
The company must also review software updates for security flaws, obtain biennial assessments of its security program from a third party and not make false or mispresented statements about privacy or security, according to the FTC’s statement.
Like many other collaboration providers over the last year, Zoom has exploded in usage, increasing its user base from 10 million in December 2019 to 300 million in April.
However, that surge in usage came with a good amount of security concerns.
The FTC alleges that Zoom misled users, saying it offered “end-to-end, 256-bit encryption” when in reality the company offered a lower level of encryption and “maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings.”
Zoom also allegedly misled users who wanted to store recorded meetings on the company’s cloud, saying those meetings were encrypted immediately after the meeting ended when some recordings were stored unencrypted on the company’s servers for up to two months.
Other actions called into question were secretly installing software as part of a manual update for some users that “increased users’ risk of remote video surveillance by strangers” and other deceptive practices.
“Zoom’s misleading claims gave users a false sense of security, according to the FTC’s complaint, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information,” the FTC alleged.
“In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services.”
These issues were made apparent since the start of the COVID-19 pandemic when businesses, schools and other organizations around the world flocked to the popular and easy-to-use videoconferencing and collaboration platform.
The lack of robust security tools allowed hackers and other unauthorized users to access Zoom calls.
To its credit, Zoom acknowledged those issues and embarked on a three-month security binge while the company froze non-security features. That resulted in deeper security controls and most recently, the roll out of end-to-end encryption.