How did it all start?
“At least in 2016, Zoom misled users by claiming that
The FTC complaint alleges Zoom deliberately lied by offering end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guidelines.
HIPAA or Health Insurance Portability andAccountability Act - Act on mobility and accountability of health insurance, which was adopted on August 21, 1996. The act was created to modernize the flow of health information, predicting how personal information held by healthcare providers and health insurance industries should be protected from fraud and theft.
Zoom has also stated that it offersend-to-end encryption in a January 2019 whitepaper, an April 2017 blog post, and direct responses to customer inquiries, the FTC complaint says.
“In fact, Zoom did not provide the end-to-endencryption for any Zoom meeting, because the company's servers (some of them, by the way, are located in China) maintain cryptographic keys that will allow developers to access their clients' Zoom Meetings content, ”the FTC said in a complaint.
The agency also claims that Zoom “introducedmisled some users who wanted to store recorded meetings on the company's cloud service by falsely claiming that all video conferences were encrypted immediately after they ended. Instead, some recordings were allegedly stored unencrypted for 60 days on Zoom's servers before being transferred to secure cloud storage."
Zoom compromise
To settle the charges, Zoom agreed tothe FTC's requirement to create and implement a comprehensive security program, prohibit privacy and security misrepresentations, and implement a number of other detailed measures to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic. 19.
It is noted that the numbers 10 and 300 million refer to the number of daily attendees to Zoom meetings.
Will users be compensated?
Zoom Management Plansupported by the Republican majority in the FTC, but Democrats on the commission are strongly opposed, and here's why. The fact is that the stated agreement does not provide for compensation to users.
"Today the Federal Trade Commissionvoted to offer a settlement with Zoom, but there is a problem, said FTC Democratic Commissioner Rohit Chopra. - The Settlement does not provide any assistance to users affected by the deception. It does nothing for small businesses that relied on Zoom's data protection requirements. And does not require a penny from the company. The Commission must change course. "
“Zoom is not obligated to offer compensation for damagesrefunds or even notify their customers that the company has been sued because of security and lies in the statement of its representatives, emphasizes Democratic Commissioner Rebecca Kelly Slaughter. “This hole in the proposed settlement is a disservice to Zoom customers.” While the agreement imposes security obligations, Slaughter said it does not include requirements that directly protect user privacy.
New complaints about Zoom
Zoom is separately facing lawsuits from investors and consumers, which could ultimately lead to financial losses on the part of the company.
The Zoom/FTC Agreement Doesn't Actually Requireend-to-end encryption. Although, last month, Zoom announced that it was rolling out end-to-end encryption in a technical preview. In effect, the agreement requires the company to take the following measures:
- Require users to protect their accounts with strong, unique passwords;
- Use automatic tools to detect login attempts without user interaction;
- Limit the rate of login attempts to minimize the risk of brute force attacks;
- Reset passwords for known compromised credentials.
Zoom agrees to security monitoring
The proposed settlement is subject topublic comment for 30 days, after which the FTC will vote to make it final. The 30-day comment period will begin after the settlement is posted on the Federal Register. The FTC case and related documents can be found here.
The FTC announcement says Zoom has agreed to take the following steps:
- Assess and document annually any potential internal and external security risks and develop ways to protect against them;
- Implement a vulnerability management program;
- Provide new security measures - such as multi-factor authentication - to protect against unauthorized access to your network;
- Control the deletion of data from servers;
- Take measures to prevent the use of known compromised user credentials.
Part of the data erasure requirement requires that all claimed copies of the data be deleted within 31 days.
Zoom will be required to notify the FTC of anydata breaches, and will be prohibited from “misrepresenting” its privacy and security practices. This includes how it collects, uses, maintains, or discloses personal information,” the FTC said.
In addition, the company will have to check allsoftware updates for vulnerabilities. Zoom will also receive a third party review of its updated security program following the settlement of the claim. The checks will be repeated every two years. This requirement will be valid for the next 20 years.
Instead of conclusions - official Zoom answer
“The safety of our users is the main thingpriority for Zoom. We take seriously the trust that our users place in us every day. After all, they are counting on us to keep them connected during an unprecedented global crisis, and we are continually improving our security and privacy programs. We're proud of the accomplishments we've made on our platform, and we've already addressed the issues identified by the FTC. Today's agreement with the FTC is consistent with our commitment to innovation and improvement of our products."
Read also
The Doomsday glacier turned out to be more dangerous than scientists thought. We tell the main thing
Research: some people have antibodies to coronavirus, although they did not have them
Scientists discover two new mammals in Australia