Zoom settles with FTC over claims it misled users on encryption strength

Dave W. Shanahan

Zoom end-to-end encryption

Zoom Video Communications reached a settlement with the Federal Trade Commission (FTC) regarding the company’s “end-to-end encryption” claim of its popular Zoom video chat software. Just last month, Zoom finally rolled out free end-to-end encryption to all users. In April, Zoom found itself in trouble when the company confirmed that users’ data was not fully encrypted, and the encryption does not even meet industry standards.

As noted in a story by TechCrunch, the FTC now requires Zoom to “enhance its security practices” moving forward. According to Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, Zoom did not live up to its promise of privacy and security of its users.

“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever. Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

In the official announcement, FTC outlines the steps that Zoom must complete to provide more robust security practices moving forward.

1. Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
2. Implement a vulnerability management program; and
3. Deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.

In addition, Zoom personnel will be required to review any software updates for security flaws and must ensure the updates will not hamper any other third-party security features.

The arrival of end-to-end encryption on Zoom means no one should now be able to access your Zoom call, including Zoom itself. End-to-end encryption is already available on existing services, including Signal and WhatsApp. Just a reminder, Microsoft Teams is encrypted in transit and at rest; read more about Microsoft Teams security here.