Zoom Settles Alleged Unfair & Deceptive Practices with Federal Trade Commission

Written by: Charles R. Langhorne IV, Esq.

In November, the U.S. Federal Trade Commission (the “FTC”) released a Consent Agreement outlining the terms of the settlement the FTC reached with Zoom communications regarding alleged unfair and deceptive practices.

The Complaint by the FTC which led to the Consent Agreement, alleged that Zoom mislead users in 3 major ways:

1. Zoom mislead users by touting that it offered end-to-end, 256-bit encryption to secure users’ communications, when in fact it provided a lower level of security. End-to-end encryption is a method of securing communications so that only the sender and recipient(s)—and no other person, not even the platform provider—can read the content.
2. Zoom mislead users who wished to store recorded meetings in the cloud, that the cloud storage provided by Zoom immediately encrypted the recorded sessions. In fact, some of the recorded sessions were stored for up to 60 days on unencrypted servers before being transferred to its secure cloud storage.
3. As part of a July 2018 update, Zoom secretly installed software on Apple computers called a ZoomOpener web server. ZoomOpener web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware. Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app. The Complaint alleges that Zoom’s release notes for the July 2018 update were deceptive because they did not adequately disclose that the app update would install the ZoomOpener web server on users’ computers.

The Consent Agreement outlines a multitude of steps and procedures Zoom must take, including:

• Create an information security program documented in writing, run by qualified employees, and designed with security in mind.
• Implement a security review for all software updates prior to releasing the updates to the public.
• Implement a vulnerability management program.
• Implement data deletion procedures.
• Host regular security training programs for employees.
• Create and implement incident response policies.
• Test and monitor new safeguards at least once every 12 months.
• Obtain biennial assessments performed by an objective, independent third-party professional.
• Cooperate with the third-party assessors by providing available information and disclosing material facts.
• Provide annual certification to the FTC that the measures outlined in the Consent Agreement are upheld.

Dissents

Two members of the FTC issued dissenting opinions, Commissioners Slaughter and Chopra.

Slaughter’s dissent centers around how data security does not amount to data privacy for the consumer. Specifically, Slaughter would have liked to see a requirement that Zoom assess the impact a feature or software has on a consumer’s privacy rather than only requiring Zoom assess the mechanisms used to secure the data collected by a given feature or software.

Chopra’s dissent centers on what he calls the FTC’s “status quo approach to privacy, security, and other data protection law violations.” Chopra’s concern is that the Consent Agreement did not do enough to provide remedies for impacted Zoom users. He also would have preferred to see Zoom send notices to users alerting them of the outcome of the FTC’s decision and Zoom’s prior issues.

Next Steps

The FTC will publish a description of the Consent Agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register. After which, the Commission will decide whether to make the proposed Consent Order final.