According to the FTC, Zoom lied about the level of its encryption. In reality, the company is allegedly using a “lower level of encryption” to secure meetings on its platform.
The Commission alleged that the company is using AES 128-bit encryption in Electronic Code Book (ECB), contrary to its claim that it is securing users’ data using AES-256 bit encryption.
Zoom gave users a false sense of security particularly to those who are using the company’s platform to discuss sensitive issues including their health and financial information, according to the FTC.
Additionally, the FTC alleged that Zoom put the security of some users by secretly installing software called the ZoomOpener web server as part of a manual update for its Mac desktop app in July 2018.
The software allowed the company to automatically launch and join a user to a meeting by bypassing a safeguard on Apple Inc.’s (NASDAQ: AAPL) Safari browser that prevents a common type of malware.
The FTC alleged that Zoom failed to implement measures to protect users’ security and increased users’ risk of remote video surveillance by strangers.
Terms of the settlement
Under the proposed settlement, Zoom agreed to establish and implement a comprehensive security program to address the FTC’s allegations. The company must do the following:
- Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
- Implement a vulnerability management program; and
- Deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
Zoom also agreed to the FTC’s order requiring the company’s personnel to o review any software updates for security flaws and must ensure the updates will not block third-party security features.
