Zoom agrees to settle FTC claims over misleading user privacy features

Zoom just dodged a rather expensive bullet.

The videoconferencing giant agreed to a proposed settlement with the Federal Trade Commission over allegations it misled users about the privacy and security of its product. The settlement, announced Monday, follows an FTC investigation dating back to at least May, and both accuses Zoom of a host of deceptions and prescribes a course of action the company must take to make things right.

Notably, none of those actions involve compensating misled users. Oh, and they also don't involve Zoom admitting (or denying) any of the allegations contained within the settlement.

The main point of concern was Zoom's encryption. While initially marketed as "end-to-end," a form of encryption that is considered the gold standard by security experts, the Intercept reported in March that Zoom actually used a much less secure type of encryption.

(Zoom has since worked to actually deploy true end-to-end encryption — though you have to turn it on yourself.)

This, notes an FTC press release, was especially egregious as the coronavirus pandemic forced intimate and private conversations — whether financial, medical, or religious — online.

"During the pandemic, practically everyone — families, schools, social groups, businesses — is using videoconferencing to communicate, making the security of these platforms more critical than ever," Andrew Smith, the director of the FTC's Bureau of Consumer Protection, said in the release. "Zoom's security practices didn't line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected."

But wait... that's not all. Say you wanted to store a recorded meeting on Zoom's servers but were worried about the privacy of that recording? Well, the FTC alleges you had reason to be concerned.

"Zoom also misled some users who wanted to store recorded meetings on the company's cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended," reads the release. "Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom's servers before being transferred to its secure cloud storage."

Oh yeah, and on top of all that Zoom (again, allegedly) "secretly installed software" on Mac users' computers that bypassed security features. That secret software, known as ZoomOpener, was part of what made opening and using Zoom such a smooth experience. By bypassing malware protections in the Safari browser, Zoom could more easily auto-open and join meetings without the requirement of additional mouse clicks.

Apple took it upon itself to remotely remove this software back in 2019.

Remember, Zoom will not face any financial penalties as a result of this settlement. In a dissenting statement, FTC Commissioner Rohit Chopra called BS:

"The settlement provides no help for affected users. It does nothing for small businesses that relied on Zoom’s data protection claims. And it does not require Zoom to pay a dime."

SEE ALSO: Zoom finally rolls out end-to-end encryption, but you have to enable it

Zoom, in an emailed statement, attempted to assure users that this is all old news.

"We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC," reads the company statement in part. "Today's resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience."

As part of the proposed settlement, Zoom agreed to implement numerous security improvements. Zoom announced one such improvement, a "vulnerability management program," in April. It's worth noting, however, that the company Zoom hired to help create and run the program, Luta Security, announced it had "disengaged with Zoom" in June of 2020.

Zoom also agreed to a series of checks on the company to, hopefully, prevent similar (ahem) misunderstandings from cropping up in the future.

Indeed, Zoom has made positive security changes — like rolling out two-factor authentication — since its meteoric rise to popularity earlier this year. Payout or no, today's announcement will hopefully hold Zoom's feet to the fire, ensuring that the privacy of its users remains important for the foreseeable future.

Related Video: Zoom’s newfound popularity is being exploited by hackers during coronavirus pandemic