• by Wendy Davis  @wendyndavis, December 24, 2020

The Federal Trade Commission should require Zoom to notify any users who were affected by the company's alleged prior practices, and to implement a privacy program, the think tank New America Open Technology Institute says.

“Consent agreements should both provide remedies for the unfair and deceptive practices alleged and seek to prevent future wrongdoing,” the organization writes in comments submitted to the agency this month. “The FTC’s proposed consent agreement with Zoom fails to achieve either of these goals fully.”

The Open Technology Institute is weighing in on the FTC's potential settlement with Zoom over alleged security and privacy lapses. The deal, approved 3-2 by the FTC, requires Zoom to implement an information security program, refrain from misstating its practices in the future, and undergo biennial audits for 20 years.

If finalized, the settlement will resolve allegations relating to Zoom's security and privacy practices, including allegations that Zoom misled users by falsely stating meetings were end-to-end encrypted.

The Open Technology Institute says the settlement is “incomplete” for several reasons, including that it doesn't require Zoom to notify users about the alleged security violations, or issue refunds to paying customers. The organization also says the FTC should require Zoom to implement a privacy program, not merely a security program.

“The fact that the order as written requires Zoom to implement a comprehensive security program, but not a privacy program, ignores the fact that poor or deceptive encryption practices aren’t just dangerous because of the potential for a security breach,” the group writes.

“The importance of secure and private online communications during the COVID-19 pandemic cannot be overstated,” the think tank writes. “Appointments with medical or legal professionals are taking place over Zoom now, as are many weddings and funerals. Encryption is crucial to ensuring that these interactions are secure and private.”

Zoom use surged this spring, when people began working from home due to the pandemic. But as the company grew, several privacy and security issues emerged.

In late March, The Intercept reported that Zoom uses “transport” encryption, despite representations that it offered end-to-end encryption. Transport encryption, unlike end-to-end encryption, allows Zoom to access audio and video content.

Zoom subsequently began rolling out end-to-end encryption.

Other potential security and privacy issues also emerged this spring, including reports hackers were able to “zoombomb” video conferences -- hijacking meetings and often bombarding them with porn or hate speech.

Last month, the company released new tools aimed at preventing zoombombing.

The Open Technology Institute isn't the only organization criticizing the proposed settlement. Watchdogs including the Electronic Privacy Information Center also say the FTC should require Zoom to implement a comprehensive privacy policy.