FTC’s Zoom Deal Signals Commitment to Security Enforcement | Government
By John K. Higgins
Dec 29, 2020 5:00 AM PT
The U.S. Federal Trade Commission is making good on a resolution to strengthen its enforcement of security deficiencies occurring in e-commerce transactions. The agency’s recent action involving allegations of improper activities by teleconferencing provider Zoom Video Communications is a notable example.
In a settlement with Zoom, the FTC imposed significantly specific requirements on the company regarding safety and privacy issues associated with Zoom’s services. The Nov. 13, 2020 settlement became official after a comment period expired in mid-December.
The FTC said the agreement with Zoom requires the company “to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.”
Zoom neither admitted nor denied the Commission’s allegations with its acceptance of the settlement.
Broad E-Commerce Ripple Effect
Importantly in the world of e-commerce, the Commission’s action in the Zoom case reflected more than an internal policy of bolstering enforcement of e-commerce issues. The FTC’s action also reflected a federal court decision which resulted in the Commission’s move to issue stronger and more targeted enforcement actions, versus more general compliance requirements, according to a Cleary Gottlieb case analysis.
Additionally, the impact of the FTC’s action goes far beyond application to video conferencing services and affects a broad range of e-commerce activities. “The Zoom decision absolutely applies broadly,” said Kathleen Benway, a partner at Alston and Bird. The FTC decision “offers lessons to any company that collects consumers’ personal information electronically. Such companies would be wise to closely review the Zoom complaint and order to ensure that their systems and processes don’t raise similar issues,” she told the E-Commerce Times.
The specificity of the FTC’s allegations in the Zoom case provides some insights on the types of e-commerce transactions that are of concern to the Commission and could possibly affect enforcement.
In its complaint, the FTC said that at least from 2016, Zoom misled customers by claiming that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications, “when in fact it provided a lower level of security.” End-to-end encryption is a method of securing communications so that only the sender and recipient — and no person, not even the platform provider — can read the content, the FTC explained.
Zoom maintained the cryptographic keys that could actually allow the company to access the content of its customers’ meetings, and secured its teleconference meetings, in part, with a lower level of encryption than promised, FTC said. Zoom acknowledged in April 2020 that its services were generally incapable of end-to-end encryption, according to a case analysis from Alston and Bird.
According to the FTC’s complaint, Zoom also misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.
In addition, Zoom deployed an operational mechanism related to Apple’s Safari browser which the FTC characterized as a method which circumvented a Safari security and privacy safeguard, without adequate notice or consent to the user. The Commission contended that the deployment amounted to an unfair act or practice.
Settlement Requires Multiple Compliance Measures
Zoom has agreed to establish and implement a comprehensive security program, and to abide by other detailed measures to protect its user base, which skyrocketed from 10 million users in December 2019 to 300 million in April 2020 during the COVID-19 pandemic, the FTC said. As part of the settlement, Zoom will:
- assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
- implement a vulnerability management program; and
- deploy safeguards such as multifactor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
In addition, Zoom personnel will be required to review any software updates for security flaws and must ensure the updates will not hamper third-party security features, such as occurred with the Apple Safari mechanism.
The settlement also prohibits the company from making misrepresentations about its privacy and security practices, including how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information.
In response to the settlement agreement, the company said that the “security of our users is a top priority for Zoom.”
“We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs. We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Our resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience,” the company said in a response provided to the E-Commerce Times by spokesperson Kelsey Markovich.
FTC Will Remain Vigilant on Security, Privacy
The Zoom decision is clearly an indication of a more aggressive enforcement posture by the FTC. “I think the FTC will redouble its focus on enforcing data privacy and security across many different industries and companies,” said Alexis Collins, a partner at Cleary Gottlieb.
“In recent years, the agency has taken action against various types of companies that collect or handle consumer data or conduct e-commerce activities for perceived deficiencies in living up to their privacy policies or implementing reasonable cybersecurity measures, regardless of whether those companies directly face consumers,” Collins told the E-Commerce Times.
For example, the FTC has reached settlements with a range of consumer product or service companies like Equifax and Uber to third-party service providers like InfoTrax, she said.
Another signal that the FTC will continue an aggressive posture on privacy and security issues were the comments of two current commissioners in the opinions they filed in the case. Each one suggested that the agency should have taken an even stronger enforcement position in the Zoom settlement.
According to a posting by Cleary Gottlieb’s Collins, Commissioner Rohit Chopra expressed concern that the settlement lacked provisions for meaningful relief for those users harmed by Zoom’s misrepresentations, such as contractual releases, refunds, or credits for small businesses who purchased Zoom services based on false representations, failed to mandate notice to affected users, and lacked monetary penalties.
Commissioner Rebecca Slaughter suggested that a “more effective order” would have required Zoom to review the risks that its products and services pose to consumer privacy, in addition to security, according to the Alston and Bird case analysis.