Videoconferencing app Zoom, which surged in popularity due to
COVID-19, will implement an information security program to settle allegations that it deceived users over encryption and privacy practices, the Federal Trade Commission said Monday.
The
settlement's other terms include requirements that Zoom refrain from misstating its practices in the future, and that the company undergo biennial audits for 20 years.
The FTC voted 3-2 to
approve the deal.
“We are confident that the proposed relief appropriately addresses the conduct alleged in the complaint and is an effective, efficient resolution of this
investigation,” FTC Commissioners Joseph Simons, Christine Wilson and Noah Joshua Phillips stated Monday.
The agency's two Democrats dissented, arguing that the
settlement doesn't go far enough to protect users' privacy.
Commissioner Rebecca Kelly Slaughter stated the proposed deal “fails to require Zoom to address privacy as well as
security,” and also “fails to require Zoom to take any steps to correct the deception we charge it perpetrated on its paying clients.”
Commissioner Rohit Chopra added that
the proposed deal “includes no help for affected parties, no money, and no other meaningful accountability.”
The deal comes around eight months after Zoom saw a massive increase in
use, as people began working from home during the pandemic. By this April, 300 million people were using Zoom each day, up from just 10 million last December.
As use grew, so did reports of
problems of privacy and security problems, including reports that Zoom meetings were being infiltrated by Zoombombers. For instance, Saint Paulus Lutheran Church in San Francisco alleged in a lawsuit
brought in May that a bible-study class was hijacked by a hacker who posted pornographic videos, as well as videos depicting child sex abuse.
It also emerged this spring that an integration
between Zoom and LinkedIn allowed LinkedIn to gather data about Zoom users.
Additionally, in March The
Intercept reported that even though Zoom said it used end-to-end encryption, it actually “transport” encryption. Unlike end-to-end encryption, transport encryption allows Zoom to
access audio and video content.
Earlier this year, Zoom vowed to improve its encryption, and last month the company began rolling out end-to-end encryption for all users.
The
FTC's complaint against Zoom, unveiled Monday, focused on the company's statements about encryption, and on allegations that its software left Safari users vulnerable to remote video surveillance.
“Since at least June 2016, Zoom has represented in its app, on its website ... in blog posts, and in direct communications with customers, that it offered end-to-end encryption,” the
complaint alleges.
The FTC adds that, contrary to the company's promises, most Zoom meetings weren't end-to-end encrypted.
Zoom also allegedly installed software in some Mac computers
that left users vulnerable to remove video surveillance, according to the complaint.
The complaint didn't include allegations related to zoombombing, or the LinkedIn integration. Zoom
separately faces lawsuits by consumers over those claims.
The FTC will accept comments on the proposed settlement for 30 days after its publication in the Federal Register, which is expected
to occur later this week.