Zoom strong-armed by US watchdog to beef up security after boasting of end-to-end encryption that didn’t exist

Zoom has been forced to agree to a range of security improvements in a settlement with America’s consumer watchdog, the Federal Trade Commission, as a result of earlier wrongly claiming it offered true 256-bit end-to-end encryption.

The pact [PDF], announced Monday, obliges the video-conferencing giant to carry out an annual security assessment of its software and have its internal security program assessed by a third-party every two years. It also has to create a vulnerability management program, and add security safeguards, such as multi-factor authentication and proper data deletion.

Zoom staff will have to review software updates for security flaws and make sure they don’t impede third-party security measures – as happened with in July 2018 when a Zoom update bypassed an anti-malware feature in Apple’s Safari browser and fired up a web server called ZoomOpener that directly launch the Zoom App.

Someone holding a Zoom conference video call

Zealous Zoom’s zesty zymotic zone zinger: Zestful zealots zip zillions

READ MORE

The commission’s investigation also dug into Zoom’s earlier claim it offered 256-bit end-to-end encryption when in fact the feature didn’t actually exist – the software maker says it has since implemented the technology. To address that part of the FTC’s grumbles against Zoom, the settlement prohibits the biz from “making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information.” Zoom, which was previously slammed for its earlier problematic privacy policy, admitted no culpability under the terms of the deal.

Thanks to the COVID-19 pandemic, Zoom’s user-friendly video conferencing software went from a popular tool to an essential piece of software as people isolated themselves at home – and a household name. Its share price has quintupled since the beginning of the year – from $100 to $500, after user numbers ballooned from 10 million in December to 300 million in April.

Price drop

That connection was in full view this morning when its share price dropped 13 per cent – not as a result of the FTC settlement but rather the announcement by pharmaceutical giant Pfizer that its COVID-19 vaccine is claimed to be 90 per cent effective in the latest set of tests. That result has pointed to a possible ending of the pandemic in 2021, which would greatly reduce the use of Zoom.

It is notable however that the FTC settlement only passed 3-2 with the regulator’s two Democratic commissioners dissenting. Rebecca Kelly Slaughter noted [PDF] that while the settlement addresses security concerns, it does not tackle related privacy concerns and argued in a statement that “Zoom’s approach to user privacy was fundamentally reactive rather than proactive.”

There is no mention of privacy in the settlement: something that Commissioner Slaughter says “reflects a failure by the majority to understand that the reason customers care about security measures in products like Zoom is that they value their privacy.”

Meanwhile, Commissioner Rohit Chopra said [PDF] that the settlement “includes no help for affected parties, no money, and no other meaningful accountability” and argued that the FTC approaches issues like this in the wrong way: “The FTC’s status quo approach to privacy, security, and other data protection law violations is ineffective.”

He argues that small businesses that signed contracts with Zoom should be allowed to be released from them, or seek refunds, because they were based “on false representations.” And he balks at the fact that Zoom does not have to admit to fault: “Zoom admits nothing and the Commission’s investigation makes no significant conclusions.”

Aside by introducing fines, Chopra also argues that the FTC’s investigative teams need more technical expertise and as a start it should restore the role of FTC Chief Technologist. ®

READ MORE HERE