Zoom security failures revealed in FTC settlement
The FTC just went public with the details of a settlement connected to a host of alleged failures on the part of Zoom with regard to security. Zoom hasn't had to admit to any of the allegations as part of the agreement:
- Zoom allegedly misled users about security levels.
- Zoom used unencrypted storage for recordings.
- Zoom bypassed Safari browser security measures.
- Zoom issued deceptive software release notifications.
Andrew Smith is Director of the FTC's Bureau of Consumer Protection.
"...Zoom did not implement any offsetting measures to protect users' security and increased users' risk of remote video surveillance by strangers. The software remained on users' computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app--without any user action--in certain circumstances." |
"Zoom also misled some users who wanted to store recorded meetings on the company's cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom's servers before being transferred to its secure cloud storage." |
- Zoom undergoes an annual security assessment.
- The company must develop ways to safeguard against security risks.
- Zoom should establish a vulnerability management programme.
- The company must create policies to protect against online attacks.
- Zoom should create safeguards against unauthorised access to its network.
- Zoom must install hacker protections.
According to the FTC:
"Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic." |