Seven months after being called upon by members of Congress to investigate Zoom’s data security practices, a divided FTC announced on November 9 a settlement with the videoconferencing platform.
The FTC’s five-count administrative complaint alleges that Zoom deceived users about several of its security features and harmed users by circumventing security and privacy controls provided by their operating systems and browsers. The proposed consent order requires Zoom to make changes to its data security practices, implement a comprehensive information security program, and obtain independent assessments of its program for 20 years after entry of the order – but does not require the company to pay monetary relief. In separate dissents, Commissioners Chopra and Slaughter argue that the proposed relief does not go far enough.
Companies watching the FTC’s data security enforcement trends will want to take note of two main takeaways: claims about the strength of security protections in products and services warrant close scrutiny, and software deployments that weaken or circumvent other security controls on users’ devices will likely receive a tough reception from the FTC.
Allegations in the FTC’s Complaint
Deception. Although Zoom has grown rapidly during the coronavirus pandemic, much of the FTC’s complaint focuses on conduct that predates the massive shift to videoconferencing as a substitute for in-person family, business, social, and religious gatherings. Specifically, the FTC alleges that Zoom misrepresented several features of its service through blog posts, user documentation, and other publicly available statements:
- End-to-end encryption: Zoom asserted that it used end-to-end encryption (i.e., encryption that only the parties to a communication can decipher) but did not disclose that, for most versions of its service, Zoom stored encryption keys that would also allow Zoom to decrypt users’ communications.
- Level of encryption: Zoom claimed to use 256-bit encryption keys but apparently used 128-bit keys.
- Unencrypted storage: Zoom stored meeting recordings in unencrypted form for 60 days before moving them to encrypted storage.
- Disguised updates: A software update billed as providing “minor bug fixes” did not disclose that it would install a web server on users’ devices.
Unfairness. In addition, the FTC alleges that Zoom unfairly harmed users’ privacy and security interests by installing a “secret” web server as part of a 2018 update to its app for Apple Mac computers. According to the complaint, this update worked around privacy and security protections in the Safari browser and exposed Zoom users to potential phishing, denial of service, and remote code execution vulnerabilities. The complaint notes that Zoom users share health, financial, proprietary and other sensitive information but does not describe actual breaches involving such information.
Proposed Order Provisions
The Zoom order is generally consistent with recent changes in FTC data security orders, which reflect the agency’s efforts to ensure that its orders are specific enough to be enforceable, set tighter standards for security program assessments, and impose requirements for managerial oversight and order compliance. Along these lines, key requirements in the Zoom order are as follows:
- Comprehensive Information Security Program. Zoom’s security program that Zoom must, at minimum, meet 10 families of requirements, most of which consist of multiple sub-requirements.
- Independent Assessments. Zoom must obtain independent security assessments every other year during the order’s 20-year term. Among other requirements, the assessor must identify the evidence obtained to support its conclusions and may not rely on “primarily on assertions or attestations” by the company.
- Annual Certifications. A “senior corporate manager” must file an annual certification stating that the company has met the requirements of the order and is not aware of any “material noncompliance” that has not been corrected or disclosed to the FTC.
- Incident Reporting. Finally, Zoom must report to the FTC instances of unauthorized access to or acquisition of recorded or livestream video or audio content within 30 days of discovering such an incident, unless the incident affects fewer than 500 users or meets other exceptions.
Dissents: A Preview of the Next FTC?
Consistent with their dissents in a string of major privacy and data security cases (e.g., YouTube and Facebook), Commissioners Chopra and Slaughter criticize the Zoom settlement for falling short in the relief provided to consumers and the changes required in Zoom’s business practices.
Perhaps most significantly in light of the potential changes in store for the FTC under a Biden-Harris administration, Commissioners Chopra and Slaughter endorse a list of seven recommendations to “restore credibility” (in Commissioner Chopra’s words) and “improve the effectiveness” of the FTC’s enforcement efforts:
- Strengthen orders to emphasize more help for individual consumers and small businesses, rather than more paperwork.
- Investigate firms comprehensively across the FTC’s mission.
- Diversify the FTC’s investigative teams to increase technical rigor.
- Restate existing legal precedent into clear rules of the road and trigger monetary remedies for violations.
- Demonstrate greater willingness to pursue administrative and federal court litigation.
- Increase cooperation with international, federal, and state partners.
- Determine whether third-party assessments are effective.
With respect to Zoom in particular, Commissioner Slaughter argues that the company’s practices harmed consumers’ privacy interests and that a “more effective order” would require Zoom to address privacy and security risks in its services. Despite the greater specificity in the Zoom order compared to FTC data security orders of a few years ago, Commissioner Chopra criticizes this settlement as a “status quo approach” that does not provide for direct notice or relief for Zoom’s customers.
For more information on the FTC and other topics, visit:
- Advertising and Privacy Law Resource Center
- Ad Law News and Views Newsletter
- Ad Law Access Blog
- Privacy and Data Security Practice Page
- Advertising Law Practice Page