FTC & State AG

FTC Warns: Don’t Zoom Past Security

Published: Nov. 11, 2020

The Federal Trade Commission (“FTC” or “Commission”) has settled charges with Zoom Video Communications, Inc. (“Zoom”) that the popular videoconferencing company allegedly engaged in a number of security- and privacy-related deceptive or unfair acts and practices. Zoom’s user base grew from approximately 10 million daily users in December 2019 to approximately 300 million daily users in April 2020, an exponential increase in use almost entirely attributable to the COVID pandemic. The FTC alleges that despite this significant growth and Zoom’s knowledge of the sensitivity of some content it transmitted, the company failed to implement a number of familiar security measures, including allegations that Zoom failed to train developers in secure software development and failed to test and review its software for known vulnerabilities prior to releasing updated code. The Commission also alleges that Zoom misrepresented its security posture in a number of meaningful ways.

Two features of the complaint are particularly noteworthy for businesses that offer software products and services to consumers. First, the FTC alleges that Zoom acted unfairly and deceptively when it issued a software update in July 2018 that installed a web server designed to circumvent a security feature in the Apple web browser Safari. After an Apple security update, when Safari users clicked on a Zoom link, a dialogue box would ask if they wanted to allow Safari to open Zoom. To avoid this perceived inconvenience, Zoom issued an update that installed a web server that bypassed Safari’s dialogue box and directly launched the Zoom app. The FTC claimed that Zoom acted unfairly when it did not implement privacy and security protections that were comparable to Safari’s, which exposed users to new vulnerabilities. The FTC also claimed that Zoom acted deceptively when it failed to adequately inform users about and obtain meaningful consent to these changes.

Second, the FTC does not allege any tangible harm to consumers arguably caused by Zoom’s alleged security failures, such as a data breach or data exposure. Thus, it seems that the Commission may have pursued action against Zoom based primarily on its rapid ascent in the videoconferencing marketplace because of COVID, but relied on Zoom’s product decisions that long preceded the pandemic. It remains to be seen whether this enforcement is indicative of a trend or rather is a specific response to pandemic-created technology reliance.

The FTC made several other deception allegations in its complaint, including that Zoom misrepresented (1) that it secured calls using end-to-end encryption, (2) the key length it employed in its encryption algorithm, and (3) that recorded content was immediately stored in an encrypted form. As a result of the settlement, Zoom will implement a comprehensive information security program and revise its marketing, disclosure, and privacy practices.

Key Takeaways

The Zoom complaint and settlement is a reminder for companies that develop software or offer SaaS platforms that the Commission continues to be focused on inaccurate statements or less-than-fulsome disclosures around security in marketing literature and other documentation, particularly where such misstatements may lull consumers into a false sense of security. Moreover, companies should continue to think carefully about the full impact of changes to their products on other applications present on end user devices, particularly where the effect is to disable another program’s security measures. In both cases, the Commission proceeded with a complaint even in the absence of an identified, specific harm to consumers, which may be a trend for future FTC actions.