How Zoom Zoomed Past Security and Privacy Protocols and are Now Paying the Price

By Jordan Danso
12/1/2020                                                                                                                                                                     

Zoom is one of the largest video conferencing platforms in the world, and due to the pandemic, it has become an indispensable tool for many organizations. However, while Zoom expanded, its lack of effective privacy and security protocols exposed many consumers to unnecessary security and privacy risks. The Federal Trade Commission (“F.T.C”) recently filed a complaint against Zoom for its unfair and deceptive acts regarding its misleading security and privacy procedures. The F.T.C’s response to Zoom’s misleading security and privacy standards was necessary to protect consumers when using  Zoom’s video conferencing platform.

Zoom was founded nine years ago and sought to "bring  teams together in a frictionless environment to get more done." The rise of COVID-19 heightened user demand for Zoom’s video conferencing platform, which significantly boosted its financial standing.  In the second quarter of this year, Zoom’s revenues surged 350%; Zoom raised its full-year revenue projections from $1.775-1.8 billion to $2.37-2.39 billion and experienced a 354% surge in users. For a company once labeled a "unicorn," the company has secured its position as a staple video conferencing application in our ever-changing society.

Nevertheless, with the company's meteoric rise to success, many Zoom users became victims of security breaches.  "Zoom bombing" – where hackers hijack meetings by posting or discussing graphic content -  is one of the most recent attacks on Zoom’s security.  The City of North Tonawansa was the latest victim of zoom bombing; their Zoom budget hearing was interrupted by trolls screaming profanities and racial slurs and posting pornographic images. Also, in March, more than 500,000 Zoom accounts were compromised and sold over the dark web through a process called credential stuffing. Credential stuffing occurs when a Zoom account is created with a compromised account's login credentials from past security breaches.  The login credentials are retrieved from Zoom’s platform and sold online. This indicates that Zoom was not verifying their latest accounts against the available lists of breached account credentials. An attack like this is predictable for a company that has a rapid increase in users. While this is not a breach of Zoom’s internal security, this is an example of Zoom’s lack of adequate security measures.

In April, Zoom’s C.E.O. Eric S. Yuan addressed concerns about the companies security protocols. The C.E.O. detailed how the influx of new users impacted their system and how there have been issues adapting to the platform's rapid and intense growth. The company took the following steps toward transparency about their efforts to enhance security measures: published a blog post to address zoom bombing, updated their privacy policy, and published a blog about their platform's encryption.

To solidify these changes, Zoom embarked on a 90-day challenge to make changes to their security and privacy protocols. A big concern for many users was the company’s security encryption standards. Zoom stated users could hold meetings with "secure end-to-end encryption"; however, Zoom was not clear about which users received this end-to-end encryption. Furthermore, experts determined that Zoom, in many cases, only offered transport encryption. End to end encryption is the higher standard of encryption, and many users were misled to believe they had this encryption when utilizing the Zoom platform, but, in fact, only had transport encryption. After Eric S. Yuan released his statement, Zoom worked to provide more users with access to end-to-end encryption. Zoom acquired Keybase, a company that uses public-key cryptography to ensure the privacy of messages and files to help roll-out new end-to-end encryption services for all users.

While Zoom was in the process of remedying its encryption standards, the F.T.C believed that the companies alleged security and privacy offerings were unfair and deceptive regardless of these latest efforts. The F.T.C. filed a complaint citing the company’s failure to implement adequate security measures. Under Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), the F.T.C. charged Zoom with two counts of deceptive representation regarding end-to-end encryption, a count for deceptive representation regarding secured cloud storage for recorded meetings, a count for unfair circumvention of third-party privacy and security safeguard, and a count for deceptive failure to disclose material information regarding the Zoom Web server update.

The complaint detailed various security violations and documented how the companies' deceptive and unfair marketing practices misled consumers about their systems' security. Users were put at risk by discussing or sending sensitive information on the platform when Zoom claimed to have end-to-end encryption when, in most cases, it only provided a low level of encryption. The recorded meetings left on Zoom's cloud were kept on Zoom's servers unencrypted for 60 days before these meetings were secured. Some users' security was compromised when Zoom secretly installed ZoomOpener as part of the Mac desktop application update. ZoomOpener was a web server that allowed Zoom to open automatically, launch, and join users to meetings by bypassing Apple’s Safari malware protection. Furthermore, the ZoomOpener application caused the warning box, indicating that the Zoom application had launched, to disappear. ZoomOpener was also installed without adequate notice or user consent, which violated the F.T.C. Act.

Furthermore, the F.T.C. evaluated the security claims that Zoom asserted on its website and determined that these security claims, from 2015 to the present, were misleading. In 2015, Zoom wrote a blog post about their security standards and how it created a system that would be impossible for a hacker to grab anything of significance. With the low level of encryption Zoom had on their platform, this standard could not be substantiated.

On November 9th, Zoom agreed to settle with the F.T.C. This proposed settlement forces Zoom to undergo a biennial assessment of its security program by a third party; establish a mandated information security program; add additional security safeguards against unauthorized access to its network; and prohibits Zoom from making misrepresentations about its privacy and security measures; and more. The F.T.C. commission voted 3-2 on the proposed settlement; two commissioners, Rohit Chopra and Rebecca Kelly Slaughter dissented as they believed that the settlement should include more significant penalties. The settlement is open to public comment for 30 days from when the proposed agreement was released.  After those 30 days, the commission will finalize the order.

As Zoom continues to grow as a video conferencing platform, it must keep security and privacy protocols at the forefront of its strategy, and the F.T.C. settlement assures that Zoom will do so for the foreseeable future.  This settlement is not only a lesson for Zoom but for consumers. While we continue to navigate this new virtual reality, consumers need to be wary of sites security and privacy protocols. Zoom-bombing, credential stuffing, and misleading encryption standards are all consequences of Zoom not taking every necessary precaution to ensure consumer safety. Zoom is a prime example of how our data may be left susceptible if  companies are not continuously held accountable. Many platforms ,like Zoom, request a lot of personal data like our address, date of birth, and job information, just to name a few. It is easy to fork over that information to access whatever service you need.   As we become more vigilant consumers and as security becomes a more significant concern for the newer technology companies,  heightened security and privacy protocols will remain the norm.