• by Wendy Davis  @wendyndavis, November 9, 2020

Videoconferencing app Zoom, which surged in popularity due to COVID-19, will implement an information security program to settle allegations that it deceived users over encryption and privacy practices, the Federal Trade Commission said Monday.

The settlement's other terms include requirements that Zoom refrain from misstating its practices in the future, and that the company undergo biennial audits for 20 years.

The FTC voted 3-2 to approve the deal.

“We are confident that the proposed relief appropriately addresses the conduct alleged in the complaint and is an effective, efficient resolution of this investigation,” FTC Commissioners Joseph Simons, Christine Wilson and Noah Joshua Phillips stated Monday.

The agency's two Democrats dissented, arguing that the settlement doesn't go far enough to protect users' privacy.

Commissioner Rebecca Kelly Slaughter stated the proposed deal “fails to require Zoom to address privacy as well as security,” and also “fails to require Zoom to take any steps to correct the deception we charge it perpetrated on its paying clients.”

Commissioner Rohit Chopra added that the proposed deal “includes no help for affected parties, no money, and no other meaningful accountability.”

The deal comes around eight months after Zoom saw a massive increase in use, as people began working from home during the pandemic. By this April, 300 million people were using Zoom each day, up from just 10 million last December.

As use grew, so did reports of problems of privacy and security problems, including reports that Zoom meetings were being infiltrated by Zoombombers. For instance, Saint Paulus Lutheran Church in San Francisco alleged in a lawsuit brought in May that a bible-study class was hijacked by a hacker who posted pornographic videos, as well as videos depicting child sex abuse.

It also emerged this spring that an integration between Zoom and LinkedIn allowed LinkedIn to gather data about Zoom users.

Additionally, in March The Intercept reported that even though Zoom said it used end-to-end encryption, it actually “transport” encryption. Unlike end-to-end encryption, transport encryption allows Zoom to access audio and video content.

Earlier this year, Zoom vowed to improve its encryption, and last month the company began rolling out end-to-end encryption for all users. 

The FTC's complaint against Zoom, unveiled Monday, focused on the company's statements about encryption, and on allegations that its software left Safari users vulnerable to remote video surveillance.

“Since at least June 2016, Zoom has represented in its app, on its website ... in blog posts, and in direct communications with customers, that it offered end-to-end encryption,” the complaint alleges.

The FTC adds that, contrary to the company's promises, most Zoom meetings weren't end-to-end encrypted.

Zoom also allegedly installed software in some Mac computers that left users vulnerable to remove video surveillance, according to the complaint.

The complaint didn't include allegations related to zoombombing, or the LinkedIn integration. Zoom separately faces lawsuits by consumers over those claims.

The FTC will accept comments on the proposed settlement for 30 days after its publication in the Federal Register, which is expected to occur later this week.