The privacy of the videoconferencing app, Zoom, has been a hot topic of debate since the quarantine started, especially considering that as many as 300 million daily meeting participants could be affected. There were actually issues reported in the past regarding Zoom’s privacy, including Zoombombing, which saw unwanted and disruptive intrusions into Zoom videoconference calls.
Probably the most important matter in Zoom’s privacy details, its claims of end-to-end encryption (E2EE), was also criticised, with complaints about its absence or authenticity. In March, there were reports about Zoom’s provisions that still allowed the company to access video meetings of users. However, just last October, Zoom announced that its E2EE had finally arrived.
Despite this declaration, Zoom is still under fire for its security measures, with the USA government’s Federal Trade Commission (FTC) announcing a settlement with Zoom Video Communications, Inc. This will require the company “to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users”.
According to the FTC, Zoom is giving its users false security by misleading them with their “end-to-end, 256-bit encryption” offer, which in fact provides a lower level of security since at least 2016. The FTC said that E2EE is a method of securing communications so that only the sender and recipient(s)—and no other person, not even the platform provider—can read the content.
“In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings and secured its Zoom Meetings, in part, with a lower level of encryption than promised”, FTC added.
The FTC said that this deception could risk sensitive information being transmitted in Zoom meetings, such as health and financial information. Aside from concerns with E2EE, the FTC also alleges that Zoom did not implement any offsetting measures to protect users’ security and increased users’ risk of remote video surveillance by strangers through the ZoomOpener web server found in Mac devices.
With this, the FTC ordered Zoom to take specific measures in addressing this problem, according to their report, Zoom must:
Assess and document, on an annual basis, any potential internal and external security risks and develop ways to safeguard against such risks;
Implement a vulnerability management program; and
Deploy safeguards such as multi-factor authentication to protect against unauthorised access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
In addition, Zoom is also required to review any software updates for security flaws and ensure the updates will not hamper third-party security features. The company must also obtain biennial assessments of its security program by an independent third party, which the FTC has the authority to approve and notify the commission if it experiences a data breach.
Finally, the FTC now prohibits Zoom from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains or discloses personal information; its security features and the extent to which users can control the privacy or security of their personal information.