The FTC, in its complaint, alleged that Zoom for at least the past four years promised users a level of data encryption it didn’t provide. The company has previously said it was working to improve its encryption levels to help safeguard data.
As part of the settlement, Zoom employees will have to review its product for any security and obtain a third-party assessment of its progress every other year. The company, which is prohibited from misrepresenting its privacy and security features, could be subject to a penalty of more than $40,000 for any violation of the order. The FTC said its order stands for 20 years.
“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said Monday.
The FTC began its investigation over a year ago and expanded its scope during the spring “when new allegations came to light,” said Linda Holleran Kopp, an FTC attorney on a conference call.
Zoom was founded in 2011 largely to provide video-communications services to businesses. When Covid-19 struck, Zoom won popular adoption, including by many academic institutions, small businesses and individuals trying to stay connected with family and friends. Many of those users have relied on a free service the company has offered. Corporate customers still account for the bulk of its revenue.
The FTC’s complaint alleges other shortcomings with the software. User sessions the company had promised to store securely were, in some cases, left stored unencrypted for as long as 60 days, the FTC said. The agency also said a Zoom software feature used on some Apple Inc. computers circumvented security features of the Safari browser without providing adequate backup safety. Apple, the FTC said, removed the software about a year later.
A Zoom statement said “we have already addressed the issues identified by the FTC” and that it continues to work on enhancing its security and user privacy programs. “Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience,” it said.
The app’s widespread popularity during the pandemic also exposed the company to heightened scrutiny. Users, for instance, suffered a number of instances of “Zoombombing”—where people gain unauthorized access to a meeting and share hate-speech or pornographic images. Zoom adjusted the default settings for many users to help prevent this issue. Zoom has also had to play a more active role of policing politically sensitive content that may appear on its platform.
The company, which went public last year, acknowledged over the summer shortcomings with some of its security practices and promised improvements.
Zoom shares that were up more than sevenfold this year as users embraced both its paid and free services were down 14% in afternoon trading Monday, both on the FTC development and progress on a Covid-19 vaccine that has lifted the broader market.
Zoom during the pandemic has twice boosted its full-year financial outlook, underscoring its position as one of the biggest corporate winners from the shift to working from home and remote schooling.
The FTC’s Mr. Smith said Zoom wasn’t the only company that should be on alert about privacy issues. The settlement, he said “sends a message to all companies that they need to live up to their privacy and security promises and respect security protections built into operating systems and browsers.”