Zoom is finding out that with greater usage comes greater scrutiny.
For those few who have not been in confinement recently because of Covid-19, Zoom is a video conferencing provider. During the pandemic, the number of daily users exploded, from 10 million in December 2019 to an impressive 300 million by April 2020.
In November, the U.S Federal Trade Commission (FTC) announced a settlement with the company, requiring the company “to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.”
The FTC had three main issues with the company, namely:
Zoom Lied A Lot
The FTC stated that Zoom lied for years about the end-to-end encryption of its video conferencing services.
The company was supposed to offer 256-bit encryption that would prevent the company from accessing meetings. Instead, the company could access customers’ meetings using a “cryptographic key” because Zoom only provided a low level of encryption. They partially fixed the issue in October, providing end-to-end encryption to most users (but also losing important features, and you have to enable it manually on a per-meeting basis…).
…and to Mac
In 2018, Zoom secretly installed a webserver on Macs that downloaded its software. This would re-install the Zoom application even if you had deleted the software. Worse, it would also let websites spy on these Macs’ users. Zoom issued an update in July 2019 to remove the webserver from every Mac.
…and to You
Lastly, Zoom misled customers when they promised to store meetings immediately in encrypted form, which was not always the case. Meetings were sometimes unencrypted for up to 60 days before being moved to their secure cloud storage.
As a settlement, “Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base”. They also agreed on security monitoring. But there will not be any compensation for affected users, even if they are paying customers.
Should we blindly trust every company and the software that they provide, often for “free”?
Zoom was caught this time under scrutiny. And it may not be the last.