Nov 11, 2020 14:00:00

Federal Trade Commission claims Zoom has falsely advertised 'end-to-end encryption' to users

Various

security and privacy issues have been pointed out regarding Zoom , a video conferencing tool that has made great strides during the pandemic of the new coronavirus. In connection with the proposed settlement with Zoom announced on Monday, November 9, 2020 by the US Federal Trade Commission (FTC) , which has been investigating Zoom security issues, 'Zoom is end-to-end encryption. Was falsely advertising to users. '

FTC Requires Zoom to Enhance its Security Practices as Part of Settlement | Federal Trade Commission
https://www.ftc.gov/news-events/press-releases/2020/11/ftc-requires-zoom-enhance-its-security-practices-part-settlement

Zoom lied to users about end-to-end encryption for years, FTC says | Ars Technica
https://arstechnica.com/tech-policy/2020/11/zoom-lied-to-users-about-end-to-end-encryption-for-years-ftc-says/

Zoom has dramatically increased the number of users due to the increase in remote work and movement restrictions due to pandemics. On the other hand, various problems have emerged, such as security problems such as 'the encryption key for online meetings is stored on a server in China'.

It turns out that a part of the encryption key of the online video conferencing application 'Zoom' is issued from the 'Chinese server', and the 'waiting room' function is also vulnerable ant --GIGAZINE

FTC advertises Zoom's security practices as 'providing end-to-end encryption to protect user communications,' even though it doesn't actually implement end-to-end encryption. He pointed out that he misunderstood the user. According to FTV, Zoom will end with a compliance guide released in June 2016 and July 2017, a blog post in April 2017, a white paper released in January 2019, and answers to customer inquiries. He claimed to offer two-end encryption.

'In fact, Zoom's servers, including those located in China, stored encryption keys that allowed users to access the contents of Zoom conferences, except for Zoom conferences hosted on their own servers. We did not provide end-to-end encryption, 'says FTC. Zoom also provided a service to store meeting records in the cloud, but some records were stored unencrypted on Zoom's servers for up to 60 days.

Another problem is that Zoom secretly installed software called 'ZoomOpener Web server' for users of Zoom on Mac computers. The ZoomOpener Web server helped Zoom bypass Apple's security protocol and prevented Safari from displaying a warning box to users. The FTC has pointed out that the ZoomOpener Web server increases the risk of third party invasion of user privacy and in some cases reinstalls the uninstalled Zoom. In July 2019, Zoom implemented an update to remove ZoomOpener Web server from Mac applications.

FTC has been investigating these Zoom security issues. And on November 9, a settlement proposal was made on the conditions of 'establishing and implementing a comprehensive security program,' 'prohibiting misrepresentation of privacy and security,' and 'establishing detailed and concrete remedies to protect users.' It was announced that Zoom agreed.

'During the pandemic, virtually everyone, including families, schools, social groups and businesses, communicates using video conferencing, and these platforms,' said Andrew Smith, FTC's Director of Consumer Protection. Security in is more important than ever. While Zoom security practices weren't in line with what we promised our users, FTC actions help ensure that we protect data about our Zoom conferencing and our users. ' Said.

Please note that this settlement does not actually require Zoom to implement end-to-end encryption. However, Zoom announced that it acquired Keybase , a startup that develops encryption technology, in May 2020 and will roll out end-to-end encryption on its official blog in October.

Zoom Rolling Out End-to-End Encryption Offering --Zoom Blog
https://blog.zoom.us/zoom-rolling-out-end-to-end-encryption-offering/

The settlement was supported by Republican members, who make up the majority of the FTC, but Democrats are opposed to the settlement. 'The reconciliation does not provide any help to affected users, even for small businesses that rely on Zoom's data protection claims,' said Rohit Chopra, a Democratic member of the FTC. Zoom doesn't even have to pay 10 cents coins, 'he said, arguing that there is a problem with this settlement, which Zoom does not cover.

Meanwhile, Zoom is facing lawsuits from investors and consumers, leaving the possibility of indemnifying users apart from the FTC's settlement, Ars Technica of foreign media said. ..

Zoom is sued by investors for security and privacy issues --GIGAZINE

The FTC will solicit public comments on the settlement over the next 30 days, after which it will finally decide whether to make changes to the settlement. 'User security is Zoom's top priority. Users rely on Zoom to stay connected in an unprecedented global crisis, so users bring it to us,' Zoom said in a statement. We take trust seriously and continue to improve our security and privacy programs. We are proud of the progress of the platform and are already working on the issues identified by the FTC. Today's settlement by the FTC The proposal is in line with our commitment to product innovation and enhancement to provide a secure video communication experience. '