Video conferencing platform Zoom has addressed accusations surrounding negligent and misleading security practices by settling with the Federal Trade Commission (FTC), the company has confirmed.
After analyzing Zoom’s cybersecurity practices, the FTC said the company engaged in a “series of deceptive and unfair practices that undermined the security of its users”.
The firm was said to have lied about its security and kept records of people’s video calls. Zoom also claimed to offer end-to-end encryption, but held the cryptographic keys that allowed it to access the content regardless.
The FTC found that, by claiming otherwise, it gave its users a false sense of security, which was particularly important during the pandemic as many people, such as healthcare practitioners, had no other option but to share sensitive data through the internet.
It was also said that Zoom stored records of some meetings in an unencrypted format for up to two months and installed web servers on its users computers without their knowledge or consent.
As part of the settlement, Zoom is forbidden from lying about its security practices and will have to meet the following demands:
- Assess and document, every year, any potential internal and external security risks and develop ways to mitigate them
- Set up a vulnerability management program
- Create safeguards (MFA, for example), create data deletion controls and prevent the use of known compromised credentials
- Review software updates for flaws