The Federal Trade Commission (FTC) announced last week that it had settled claims with Zoom Video Communications, Inc. (Zoom) relating to a variety of allegedly false and misleading representations made by Zoom about the security features of Zoom’s videoconferencing platform. The case is of interest because of the platform’s widespread use for corporate and personal videoconferencing, which has exploded during the COVID-19 pandemic. The FTC’s complaint, for example, noted that Zoom videoconferencing had increased from 10 million per day to 300 million per day during the pandemic.
Among other things, the FTC alleged that Zoom had failed to:
In contrast to these failings, the FTC alleged that Zoom had touted its supposedly robust security protocols. For example, the FTC alleged that Zoom had:
Despite making these representations, Zoom later acknowledged that it was not using end-to-end encryption, as that term is typically understood. Further, according to the FTC, Zoom was not using 256-bit encryption but was instead using a less secure 128-bit encryption. Finally, the FTC’s complaint asserted that Zoom had taken active measures to avoid the security safeguards imposed on Apple’s Safari application, which exposed users to additional vulnerabilities.
Last week, the FTC announced that Zoom had settled the FTC’s complaint. Under the settlement agreement, Zoom must avoid any further misrepresentations regarding its platform’s security features and adopt new measures to enhance the security of its systems, including:
A full copy of the settlement agreement can be located here: https://www.ftc.gov/system/files/documents/cases/1923167zoomacco2.pdf.
As data security takes on increasing importance in the marketplace, the FTC’s action against Zoom is a reminder that companies should not only implement prudent data security measures but should also ensure that any descriptions of such protocols in its marketing materials are accurate and not misleading.