Watchdogs are criticizing the Federal Trade Commission's proposed settlement with Zoom over potential security risks, calling the deal “unacceptable” because it doesn't address allegations that the company mishandled users' data.
“The Commission should include new privacy safeguard requirements in its consent order with Zoom,” the Electronic Privacy Information Center and other groups write in comments filed with the FTC this week. “A failure to do so now would only create the opportunity for Zoom to avoid monetary penalties in the future if it fails to protect users’ privacy. That is simply unacceptable.”
The comments were also signed by the Center for Digital Democracy, Campaign for a Commercial-Free Childhood, Parent Coalition for Student Privacy and Consumer Federation of America.
The proposed settlement, approved 3-2 by the FTC, requires Zoom to implement an information security program, refrain from misstating its practices in the future, and undergo biennial audits for 20 years.
If finalized, the deal will resolve allegations that Zoom deceived users over some security and privacy practices, including claims that Zoom misled users by falsely stating meetings were end-to-end encrypted.
But the settlement doesn't directly address several privacy issues that emerged earlier this year, particularly at the start of the pandemic, when many people began working from home.
For instance, it emerged this spring that an integration between Zoom and LinkedIn may have allowed LinkedIn to gather data about Zoom users. Also, Zoom reportedly sent data about some users to Facebook. Additionally, hackers were able to “zoombomb” video conferences -- hijacking meetings and often bombarding them with porn or hate speech.
“Zoom’s unlawful business practices created substantial privacy and security risks for consumers and gave the company an unfair advantage at a time when millions of companies, institutions, and individual users were forced to communicate and interact with their teachers, coworkers, friends, family, and others through videoconferencing services,” the groups write.
The Electronic Privacy Information Center and other groups are now urging the FTC to add new privacy terms to the settlement, including a requirement that Zoom implement a comprehensive privacy program (as opposed to a security program), make privacy assessments publicly available, provide redress to its paying consumers, and limit data collection about children.
The agency's two Democrats dissented from the settlement last month, writing that it doesn't go far enough to protect users' privacy.
Commissioner Rebecca Kelly Slaughter stated the proposed deal “fails to require Zoom to address privacy as well as security,” and also “fails to require Zoom to take any steps to correct the deception we charge it perpetrated on its paying clients.”
Commissioner Rohit Chopra added that the proposed deal “includes no help for affected parties, no money, and no other meaningful accountability.”