Zoom has become a household name in a matter of just a few months, with the world turning to its video conferencing platform due to the pandemic severely limiting in-person meetings. However, an FTC complaint alleged that Zoom “engaged in a series of deceptive and unfair practices that undermined the security of its users.” This followed scrutiny from security experts earlier this year, who found the platform was not using end-to-end encryption despite marketing claims. Zoom has also seen other security issues during its rise in popularity, such as unwelcome participants crashing meetings in a practice called “zoombombing.” As part of the FTC settlement, Zoom has committed to implementing a “comprehensive security program.” “During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection says in the agency’s press release. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
Government Scrutiny
The FTC complaint alleges that Zoom misled its users about several security-related issues, the most important of which relates to claims made about end-to-end encryption. It said that Zoom has been claiming to offer end-to-end, 256-bit encryption for Zoom calls since 2016, but really provided a lower level of security. When end-to-end encryption is enabled, only participants in a call or chat have access to information exchanged—not Zoom, the government or any other party. In addition, the complaint alleges that Zoom stored recorded, unencrypted meetings on its servers for up to 60 days when it had told some of its users that they would be immediately encrypted. Another issue relates to Mac software called ZoomOpener, which stayed on users’ computers even when deleting Zoom and could have made them vulnerable to hackers. “This software bypassed a Safari browser security setting and put users at risk—for example, it could have allowed strangers to spy on users through their computer’s web cameras,” FTC Consumer Education Specialist, Alvaro Puig, explains in a blog post.
Zoom’s Response
While Zoom only recently settled the FTC complaint, the company told Lifewire in an email that it has “already addressed” the issues. “The security of our users is a top priority for Zoom,” a company spokesperson told Lifewire in an email. Zoom has taken several steps to respond to the FTC’s allegations, including the launch of a 90-day plan in April that yielded more than 100 features related to privacy and security. Zoom did introduce end-to-end encryption in late October, made possible by its May acquisition of a company called Keybase. The end-to-end encryption is still in what Zoom calls “technical preview” mode, and the company says that Zoom’s servers do not have access to the encryption keys. For now, some features are restricted in end-to-end encryption mode, including the ability to join the meeting before the host and breakout rooms.
How to Use Zoom’s End-to-End Encryption
University of Alabama at Birmingham computer science professor Nitesh Saxena says that Zoom’s efforts to implement a true end-to-end encryption system is a “step in the right direction,” but notes that there is still work to do. “There are significant issues that need to be addressed before this can really provide the level of security that users may demand from Zoom calls,” he says. Saxena, who has studied Zoom’s security extensively, says the security of its end-to-end encryption method ultimately relies on the process used to validate meeting participants’ cryptographic keys (a key step for keeping eavesdroppers out of the call). In this case, users check this themselves before starting the meeting. In Zoom’s first phase of its end-to-end encryption protocol, the meeting host reads a 39-digit code that the others must check on their screen. According to research by Saxena and his team, this approach could be prone to human error if someone isn’t paying attention and accidently accepts a code that doesn’t match or skips the process completely. Also, meeting hosts and participants must make sure they enable end-to-end encryption before starting the meeting, as it is not turned on by default. Saxena’s research also found that the types of numeric codes Zoom is using could also be prone to a certain type of attack. So, Zoom users can feel some relief that the platform has already addressed the main security issues raised by the FTC complaint, and now offers the first phase of end-to-end encryption. However, conference participants should be aware that using the new end-to-end encryption mode correctly requires paying extra attention when it’s time for the code validation process at the beginning of the call.