Zoom settles with FTC over misleading security claims
Zoom Video Communications Inc. agreed to boost its security to settle claims that it misled users about access to online meetings and other issues, the U.S. Federal Trade Commission said.
Since at least 2016, the videoconferencing platform, which skyrocketed in popularity this year because of coronavirus lockdowns, said it offered a higher level of encryption for its meetings than it actually did and also misled participants about the level of security for storing meeting recordings, the FTC alleged Monday in a statement.
“During the pandemic, practically everyone — families, schools, social groups, businesses — is using videoconferencing to communicate, making the security of these platforms more critical than ever,” the director of the FTC’s Bureau of Consumer Protection, Andrew Smith, said in the statement. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
As part of the settlement, Zoom will have to document and assess security risks every other year, develop ways to manage them, deploy more methods to protect against unauthorized access to the network and take other steps, including preventing “the use of known compromised user credentials,” the FTC said.
Zoom said it has already put in place the security improvements required by the settlement with the commission.
“We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs,” Zoom said in a statement. “We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC.”
The company’s shares declined 14% to $428.37 at 12:54 p.m. in New York. The stock dropped earlier Monday on news that Pfizer Inc.’s COVID-19 vaccine is more than 90% effective in a trial. Other companies that have benefited during the lockdowns spurred by pandemic, including Peloton Interactive Inc., also fell on the news. Zoom had jumped more than sixfold this year through Friday’s close, while its tally of daily meeting participants had surged to 300 million from 10 million.
Zoom had hoped that scrutiny over its security lapses was behind it. The company instituted a 90-day security plan on April 1, during which it froze development of other features not related to user privacy and safety. Zoom held public weekly meetings to discuss updates of its efforts, which focused principally on developing the end-to-end encryption it had long promised. It’s the highest level of data privacy available, in which no one — not even Zoom — can decipher communications. The FTC alleged that claiming to have this form of encryption was one of Zoom’s biggest deceptions. The company has also made it easier for hosts to assert control over meetings by screening, muting and kicking out uninvited guests or disruptors.
Since Zoom’s initial 90-day plan ended, the company has promised periodic updates on security. Zoom is currently on a quest to be an even bigger part of users’ lives by debuting a service to provide philanthropic, free and paid events, such as yoga or language-learning classes, and has also developed Zapps, a way to better integrate Zoom with more business applications so that workers are more productive on the platform. Chief Financial Officer Kelly Steckelberg said as recently as last month that security is now built into every product the company is developing.
The commission’s three Republicans voted for the settlement, while its two Democrats dissented.