Zoom lied to their users about encryption for years, says FTC

Democrats have put FTC/Zoom settlement on blast because user’s wont get rightful compensation. Zoom lied to their users for years regarding encryption.

Democrats have put FTC/Zoom settlement on blast because user’s wont get rightful compensation.

Arstechnica reported Zoom has agreed to “upgrade” their security practices in a settlement with the Federal Trade Commission (FTC).

“[S]ince at least 2016, Zoom misled users by touting that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications, when in fact it provided a lower level of security,” the FTC said today in the announcement of its complaint against Zoom and the tentative settlement. Despite promising end-to-end encryption, the FTC said that “Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.”

The FTC complaint alleges that Zoom claimed it’s offer of “end to end encryption for any Zoom meeting” in it’s June 2016 and July 2017 HIPAA compliance guides, which are intended for the healthcare industry, was a blatant lie.

“In fact, Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom’s ‘Connecter’ product (which are hosted on a customer’s own servers), because Zoom’s servers—including some located in China—maintain the cryptographic keys that would allow Zoom to access the content of its customers’ Zoom Meetings,” the FTC complaint said.

The FTC announced mentioned that Zoom also mislead some users who wanted to store recorded meetings on Zoom’s cloud storage services by claiming those meetings were encryption. This is now known to be a lie.

To settle the allegations, Zoom agreed to a requirement that would establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations.

Zoom agrees to monitoring of security practices

The FTC announcement said Zoom agreed to take the following steps:

  • Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
  • Implement a vulnerability management program; and
  • Deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
  • The data deletion part of the settlement requires that all copies of data identified for deletion be deleted within 31 days.
Author profile
Cybersecurity Engineer | Website

Jordan is a Cybersecurity Engineer who has consulted in numerous sectors such as finance, education, manufacturing, and public sector organizations within the United States.