Zoom to implement new security program along with FTC

Videoconferencing platform Zoom has agreed to implement a security program as part of a settlement with the Federal Trade Commission (FTC) announced Monday.

The settlement, approved by the FTC by a vote of 3-2, requires Zoom to heighten security through creating a vulnerability management program, deploying certain safeguards including multifactor authentication and assessing and documenting new security risks and ways to protect against these risks every year.

The FTC alleged that Zoom misled users about its encryption practices, saying in the settlement that “Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.”

The FTC also alleged that the “ZoomOpener” web server, which was rolled out in 2018 and launched Zoom meetings, bypassed an Apple Safari security protocol designed to protect users from a certain kind of malware, thereby compromising the security of the user’s network. The agency further alleged that the Zoom software remained on the user’s network even after the app was deleted, potentially opening the door to remote surveillance by strangers.

Under the settlement, Zoom personnel will be required to review software updates for security vulnerabilities, including making sure updates do not impede third-party security features, and the company is prohibited from misrepresenting privacy and security practices to users. The company will also be required to allow a third party to conduct biennial assessments of its security program.