The Federal Trade Commission said Monday it has finalized a settlement with Zoom over alleged security and privacy lapses, despite objections to the deal by acting chair Rebecca Kelly Slaughter, who says the terms aren't stringent enough.
The settlement requires the video conferencing company to implement an information security program, refrain from misstating its practices in the future, and undergo biennial audits for 20 years.
The deal resolves allegations that Zoom deceived users over some security and privacy practices, including claims that Zoom misled users by falsely stating meetings were end-to-end encrypted.
Those allegations first surfaced in a report in The Intercept last spring, as Zoom was surging in popularity due to the pandemic. Zoom subsequently began rolling out end-to-end encryption for all users.
The FTC voted 3-2 to grant the deal final approval. Former Chairman Joe Simons departed the agency on Friday -- 10 days after the deal was finalized, but before the FTC announced the settlement had been accepted.
Slaughter dissented, writing that the terms don't address Zoom's “privacy failings” or compensate users.
The FTC's deal with Zoom doesn't directly address allegations that an integration between Zoom and LinkedIn may have allowed LinkedIn to gather data about Zoom users. The settlement also doesn't address reports that Zoom sent data about some users to Facebook, or that hackers were able to “zoombomb” video conferences -- hijacking meetings and often bombarding them with porn or hate speech.
In December, advocacy groups including the Electronic Privacy Information Center, Center for Digital Democracy, Campaign for a Commercial-Free Childhood, Parent Coalition for Student Privacy and Consumer Federation of America, voiced opposition to the settlement.
Those groups urged the FTC to impose new privacy conditions, including a requirement that Zoom implement a comprehensive privacy program (as opposed to a security program), make privacy assessments publicly available, compensate paying consumers, and limit data collection about children.
Slaughter noted those objections in her written dissent.
“Many individual consumers shared their frustration that the FTC did not do more,” she wrote. “Expert consumer advocacy groups shared this frustration and echoed my call for a strong privacy program and help for Zoom’s customers. Advocacy groups also called for the FTC to require reporting transparency when imposing third-party assessments, which I strongly support.”
A Zoom spokesperson said the company is “continuously improving” its privacy and security programs, and has made well-documented “advancements” to its platform.
“We remain committed to fulfilling the expectations of the millions of people who trust and rely on our platform,” the spokesperson said.