Zoom settles with regulator over dodgy encryption claims
It's the videoconferencing platform made famous by the pandemic lockdowns, but Zoom also isn't as secure as it once made out.
The US company which does most of its software development in China, has just settled with the US Federal Trade Commission over "misleading claims" it made about the encryption it uses to keep Zoom calls secure.
The settlement comes as Nasdaq-listed Zoom's shares dropped 17% on the back of news that pharmaceutical giant Pfizer's vaccine candidate has been shown to be 90% effective in trials and that it will apply for approval by the end of the month to start mass-producing it.
While Zoom claimed that calls were protected by "end to end encryption", it emerged in March that this only related to the connection over the company's cloud platform between Zoom calls. In fact, Zoom had the cryptographic keys allowing it to access its customers video meetings.
Typically, end-to-end encryption (E2EE) is defined as security that prevents anyone but the sender of the communication and the receiver from accessing or intercepting the message, even the provider of the encrypted service.
"Zoom's misleading claims gave users a false sense of security, according to the FTC's complaint, especially for those who used the company's platform to discuss sensitive topics such as health and financial information," the FTC said in a statement today.
Zoom has scrambled to implement better security as demand for its video conferencing surged as stay at home orders saw business meetings shift online all over the world. Many corporate users were uncomfortable using Zoom over security concerns, instead opting for Microsoft Teams, Cisco Webex or even Google Meet.
US government departments, in particular, are wary of Zoom due to concerns that Chinese Communist Party agents may be able to gain access to sensitive information via the Zoom platform. While Zoom is considered more user friendly than its rivals, the questions around its security sees it often relegated to use for non-sensitive conversations only.
Even worse than the back door in its "end to end" encryption, Zoom held unencrypted copies of its customers' recorded meetings. This was likely to pose a bigger risk of data breaches and hacking attacks than the meetings being infiltrated while they were in progress.
"Zoom told users who recorded a meeting that it would save a secure, encrypted recording of the meeting when it ended. In reality, Zoom kept unencrypted recordings on its servers for up to 60 days before moving them to its secure cloud storage," wrote the FTC's consumer education specialist, Alvaro Puig.
The FTC also slapped Zoom for another security screw up. It installed an application on Mac users' computers called ZoomOpener, which let the software bypass the security features of Apple's Safari web browser.
The FTC argues that this could have allowed strangers to "spy on users through their computer's web cameras"
"Hackers could have exploited the vulnerability to download malware onto - and take control of - users' computers," it added.
Deleting Zoom didn't get rid of ZoomOpener which Zoom presented as a bug fix, neglecting to tell its users it was installing a web server on their computer. While the lax security and disingenuous messaging on Zoom's part is serious, the FTC doesn't typically impose fines for a first offence, so Zoom avoids paying a big financial penalty for its transgressions.
Zoom said last month that it was rolling out real end to end encryption for free and premium users holding video conferences with up to 200 participants.
"In a meeting with E2EE enabled, nobody except each participant - not even Zoom's servers - has access to the encryption keys being used to encrypt the meeting," Zoom explained.
Those measures should satisfy the FTC's key concern over false claims regarding encryption. But Zoom will have to submit to the scrutiny of an independent third-party to access its security every two years and to notify the FTC in the case of a data breach. That latter requirement will become mandatory for New Zealand companies next month with the arrival of the new Privacy Act.
You must be logged in in order to post comments. Log In