Regulator urges Zoom to enhance data security over alleged deceptive practices

*The company was accused of following deceptive and unfair practices against its users

* FTC’s laundry list of major changes that Zoom users are supposed to see henceforth

Isola Moses | ConsumerConnect

In view of allegations of engagement in a series of “deceptive and unfair practices” that essentially have undermined the security of consumers, the US Federal Trade Commission (FTC) has announced a settlement with video conferencing platform Zoom that will require the company to implement a sturdier information security programme henceforth.

The industry regulator had alleged that Zoom engaged in a series of “deceptive and unfair practices” that essentially undermined the security of its users, dating back to 2016 when the FTC purported that Zoom deceived users by falsely promising that it offered “end-to-end, 256-bit encryption” to secure users’ communications.

Regulators said the falsehood created the possibility that other people (including Zoom) could read a user’s content.

In the FTC’s eyes, Zoom also erroneously told users who wanted to store recorded meetings on the company’s cloud storage that those meetings were encrypted immediately after their meeting ended.

Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage, according to the regulatory agency.

ConsumerConnect learnt that the matter against the company was complicated further during the disruptive COVID-19 pandemic.

Zoom’s reach skyrocketed from 10 million in December 2019 to 300 million in April 2020, putting even more users’ privacy at risk.

Earlier this summer, the company attempted to soften the FTC’s angst by improving its security for all users versus only its paying subscribers, but those actions seemingly weren’t enough to appease regulators, report said.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said: “During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever.

“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

In view of this, the FTC’s laundry list of changes that Zoom users are supposed to see thanks to the latest settlement include:

• The annual assessment and documentation of any potential internal and external security risks and develop ways to safeguard against such risks;
• Implementation of a vulnerability management program; and
• Deployment of safeguards such as multi-factor authentication to protect against unauthorised access to its network; institute data deletion controls; and taking steps to prevent the use of known compromised user credentials.

The FTC didn’t stop there, though. On top of those three key changes, Zoom agreed to review any software updates for potential security flaws and must ensure that software updates will not hamper third-party security features.

The company has also agreed not misrepresent to the public its collection and use of personal information, and it will have an assessment of security program made by an independent third party every other year.