Zoom was accused of lying to users. Their data was not encrypted properly

How did it all start?

“At least in 2016, Zoom misled users by claiming that

offers "end-to-end 256-bit encryption" forprotection of communications. It actually provides a lower level of security than the company promised, ”says the FTC's complaint against Zoom and the preliminary settlement agency plan. Despite promising end-to-end encryption, the FTC said that "Zoom retained cryptographic keys that could allow the company to access its clients' conference content."

The FTC complaint alleges Zoom deliberately lied by offering end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guidelines.

HIPAA or Health Insurance Portability andAccountability Act - Act on mobility and accountability of health insurance, which was adopted on August 21, 1996. The act was created to modernize the flow of health information, predicting how personal information held by healthcare providers and health insurance industries should be protected from fraud and theft.

Zoom has also stated that it offersend-to-end encryption in a January 2019 whitepaper, an April 2017 blog post, and direct responses to customer inquiries, the FTC complaint says.

“In fact, Zoom did not provide the end-to-endencryption for any Zoom meeting, because the company's servers (some of them, by the way, are located in China) maintain cryptographic keys that will allow developers to access their clients' Zoom Meetings content, ”the FTC said in a complaint.

The agency also claims that Zoom “introducedmisleading some users who wanted to store recorded meetings in the company's cloud service by falsely claiming that all video conferences were encrypted immediately after they ended. Instead, some recordings were allegedly stored unencrypted for 60 days on Zoom's servers before being transferred to secure cloud storage. ”

Zoom compromise

To settle the charges, Zoom agreed withby the FTC's requirement to create and implement a comprehensive security program, prohibit misrepresentation of privacy and security information, and implement a number of other detailed measures to protect its user base, which grew sharply from 10 million in December 2019 to 300 million in April 2020 during the COVID- nineteen.

It is noted that the numbers 10 and 300 million refer to the number of daily attendees to Zoom meetings.

Will users be compensated?

Zoom Management Plansupported by the Republican majority in the FTC, but Democrats on the commission are strongly opposed, and here's why. The fact is that the stated agreement does not provide for compensation to users.

"Today the Federal Trade Commissionvoted to offer a settlement with Zoom, but there is a problem, said FTC Democratic Commissioner Rohit Chopra. - The Settlement does not provide any assistance to users affected by the deception. It does nothing for small businesses that relied on Zoom's data protection requirements. And does not require a penny from the company. The Commission must change course. "

“Zoom is under no obligation to offer compensation for damages,reimbursement or even notify their customers that the company was made claims for safety and lies in the statement of its representatives, - emphasizes the Commissioner of the Democratic Party Rebecca Kelly Slaughter. "This flaw in the proposed settlement is doing a disservice to Zoom's customers." While the agreement imposes security obligations, Slaughter said it does not include requirements that directly protect users' privacy.

New claims to Zoom

Zoom is separately facing lawsuits from investors and consumers, which could ultimately lead to financial losses on the part of the company.

The Zoom / FTC Agreement does not really requireend-to-end encryption. Although, Zoom announced last month that it is rolling out end-to-end encryption in a technical preview. In fact, the agreement requires the company to take the following measures:

  • Require users to protect their accounts with strong unique passwords;
  • Use automated tools to detect unattended login attempts;
  • Limit the speed of login attempts to minimize the risk of a brute force attack;
  • Reset passwords for known compromised credentials.

Zoom agrees to security monitoring

The proposed settlement is subject topublic comment for 30 days, after which the FTC will vote to make it final. The 30-day comment period will begin after the settlement is posted on the Federal Register. The FTC case and related documents can be found here.

The FTC announcement says Zoom has agreed to take the following steps:

  • Assess and document annually any potential internal and external security risks and develop ways to protect against them;
  • Implement a vulnerability management program;
  • Provide new security measures - such as multi-factor authentication - to protect against unauthorized access to your network;
  • Control the deletion of data from servers;
  • Take steps to prevent the use of known compromised user credentials.

Part of the data erasure requirement requires that all claimed copies of the data be deleted within 31 days.

Zoom will be required to notify the FTC of anybreaches of data security, and he will be prohibited from “misrepresenting his privacy and security practices. Including how it collects, uses, maintains or discloses personal information, ”the FTC said.

In addition, the company will have to check allsoftware updates for vulnerabilities. Zoom will also receive a third party review of its updated security program following the settlement of the claim. The checks will be repeated every two years. This requirement will be valid for the next 20 years.

Instead of conclusions - official Zoom answer

“The safety of our users is paramountpriority for Zoom. We take seriously the trust that users place in us every day. After all, they expect us to keep them in touch during this unprecedented global crisis, and we are continually improving our security and privacy programs. We are proud of the accomplishments we have made on our platform and we have already addressed the issues identified by the FTC. Today's agreement with the FTC is in line with our commitment to innovation and product improvement. ”

Read also

The Doomsday glacier turned out to be more dangerous than scientists thought. We tell the main thing

Research: some people have antibodies to coronavirus, although they did not have them

Scientists discover two new mammals in Australia