Zoom has been forced to agree to a range of security improvements in a settlement with America's consumer watchdog, the Federal Trade Commission, as a result of earlier wrongly claiming it offered true 256-bit end-to-end encryption.
The pact [PDF], announced Monday, obliges the video-conferencing giant to carry out an annual security assessment of its software and have its internal security program assessed by a third-party every two years. It also has to create a vulnerability management program, and add security safeguards, such as multi-factor authentication and proper data deletion.
Zoom staff will have to review software updates for security flaws and make sure they don’t impede third-party security measures – as happened in July 2018 when a Zoom update bypassed an anti-malware feature in Apple’s Safari browser and fired up a web server called ZoomOpener that directly launch the Zoom App.
Zealous Zoom's zesty zymotic zone zinger: Zestful zealots zip zillionsREAD MORE
Thanks to the COVID-19 pandemic, Zoom’s user-friendly video conferencing software went from a popular tool to an essential piece of software as people isolated themselves at home – and it became a household name. Its share price has quintupled since the beginning of the year – from $100 to $500, after user numbers ballooned from 10 million in December to 300 million in April.
That connection was in full view this morning when its share price dropped 13 per cent – not as a result of the FTC settlement but rather the announcement by pharmaceutical giant Pfizer that its COVID-19 vaccine is claimed to be 90 per cent effective in the latest set of tests. That result has pointed to a possible ending of the pandemic in 2021, which would greatly reduce the use of Zoom.
It is notable however that the FTC settlement only passed 3-2 with the regulator’s two Democratic commissioners dissenting. Rebecca Kelly Slaughter noted [PDF] that while the settlement addresses security concerns, it does not tackle related privacy concerns and argued in a statement that “Zoom’s approach to user privacy was fundamentally reactive rather than proactive.”
There is no mention of privacy in the settlement: something that Commissioner Slaughter says “reflects a failure by the majority to understand that the reason customers care about security measures in products like Zoom is that they value their privacy.”
Meanwhile, Commissioner Rohit Chopra said [PDF] that the settlement “includes no help for affected parties, no money, and no other meaningful accountability” and argued that the FTC approaches issues like this in the wrong way: “The FTC’s status quo approach to privacy, security, and other data protection law violations is ineffective.”
He argues that small businesses that signed contracts with Zoom should be allowed to be released from them, or seek refunds, because they were based “on false representations.” And he balks at the fact that Zoom does not have to admit to fault: “Zoom admits nothing and the Commission’s investigation makes no significant conclusions.”
Aside from introducing fines, Chopra also argues that the FTC’s investigative teams need more technical expertise and as a start it should restore the role of FTC Chief Technologist. ®