Zoom Boosts Security and Privacy Protections Under FTC Settlement

Videoconferences lacked the end-to-end encryption that the company promised to consumers

zoom on laptop multiple

Zoom increased security and privacy protections in its videoconferencing platform to settle a Federal Trade Commission complaint that the company misled consumers about those features, the FTC announced.

Some privacy experts, however, suggested that the agreement doesn’t go far enough.

During the pandemic, consumers and small businesses have flocked to Zoom, increasing the company’s traffic from 10 million users per day in December 2019 to as many as 300 million daily in April 2020, when demand was at its peak.

While Zoom was created primarily as a business tool, many consumers are using the platform in new ways, from therapy sessions to Alcoholics Anonymous meetings, with different kinds of sensitive information shared during meetings.

More on Video Conferencing

The FTC complaint alleges that the company was less careful with sensitive consumer and small-business data than it let on. Since 2016, Zoom allegedly deceived consumers by telling them that the company used 256-bit end-to-end encryption—a security system that employs a highly complex security key to prevent communications from being read by anyone but the sender or the recipient.

In reality, however, the company employed a lower level of security for most of its meetings, the FTC said.

The company also told consumers that meeting data was being safeguarded in secure cloud storage, while, actually, according to the complaint, “recorded meetings are kept on Zoom servers for up to 60 days, unencrypted” before being transferred to more secure cloud storage.

The complaint also alleges that Zoom’s meeting launcher software bypassed security features on Apple’s Safari browser, which left consumers vulnerable to video surveillance by outsiders.

“The case is pretty straightforward,” says Justin Brookman, director of privacy and technology policy at Consumer Reports. “Zoom didn't really have a plausible defense for a lot of this behavior.”

In an email to Consumer Reports, a Zoom spokesperson said: “The security of our users is a top priority for Zoom. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”

Last spring, Consumer Reports reported on privacy concerns with Zoom, as well as other video conferencing platforms. In response to our article, the company changed its privacy policy and some of its privacy practices.

Is the Settlement Enough?

As part of the FTC settlement, Zoom has already implemented fixes for the issues raised in the complaint. The company will also agree to third-party oversight of its privacy and security practices. Future violations could subject the company to substantial monetary fines, like the ones imposed against companies such as Facebook and Google. However, the current agreement doesn’t carry any financial penalties for Zoom.

Some privacy experts, including two FTC commissioners, suggested that the settlement with Zoom doesn’t go far enough.

“Because of the pandemic, consumers have become deeply reliant on Zoom,” says Jeff Chester, executive director of the Center for Digital Democracy, an advocacy organization based in Washington, D.C. “After Zoom got caught, FTC should have imposed significant penalties and demanded significant changes in the way they do business, but instead they gave them a slap on the digital wrist.”

Two of the five FTC commissioners, Rebecca Kelly Slaughter and Rohit Chopra, thought that the agency should have demanded more from Zoom, and they dissented from the decision.

“The order does not address the core problem: Zoom’s demonstrated inclination to prioritize some features, particularly ease of use, over privacy protections,” Slaughter wrote in her dissent to the settlement.

The FTC counters that it has both limited resources and limited authority to litigate a case like this, and if it did, the ensuing court battle would have delayed a settlement significantly.

“Had we litigated this case, we might have gotten more or different relief,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said at a press conference announcing the agreement. “But I’d bet we’d be having conversation in 2022 rather than today.”

“The majority seemed to think this is best result they could get with the cards they were dealt,” says CR’s Brookman.

How to Protect Yourself on Zoom

CR’s experts have some advice for enhancing your privacy while using Zoom or other videoconferencing platforms.

  • Assume you’re being recorded. Anything you say or do in a Zoom meeting can be recorded. It can be captured officially by a host, an administrator, or another participant, or just grabbed by someone with screencasting software or even a smartphone. The solution? Turn off your camera and mic whenever possible.
  • Mind your background. If you need to have your camera turned on, Zoom lets you choose a photo as the background for your video. You can pick one from your hard drive or use one supplied by Zoom. That can be important because the books on a shelf, posters, or other items in your living space can reveal information that you might not want to share with some of your co-workers or clients. And those images of your bedroom may not disappear when the conference is over; they can be stored for months or even years, and shared with people you’ve never met.
  • Safeguard meeting information. Don’t share the password or links to any meeting you’ve been invited to. That can help to prevent Zoombombing, which is when bad actors gain access to a meeting and disrupt it.
  • Use outside privacy tools. If you’re hosting a meeting and decide to create a videoconferencing account, use a dedicated “burner” email that you don’t use for anything else, or at least for important functions such as banking, healthcare, and social media accounts. It’s also smart to use a highly rated password manager with the platform’s password function. That can help keep your meetings secure from a Zoombombing intrusion.
  • Just make a regular phone call. Many meetings simply don’t need video. When that’s the case, pick up the phone to talk to a colleague or loop a small group into an old-fashioned conference call.

Allen St. John

I believe that technology has the power to change our lives—for better or for worse. That's why I’ve spent my life reporting and writing about it for outlets of all sorts, from newspapers (such as the Wall Street Journal and the New York Times) to magazines (Popular Mechanics and Rolling Stone) and even my own books ("Newton’s Football" and "Clapton’s Guitar"). For me, there's no better way to spend a day than talking to a bunch of experts about an important subject and then writing a story that'll help others be smarter and better informed.