Zoom Settles with FTC On False Claims About End-to-end Encryption

Video conferencing company Zoom agreed to implement a strong information security program and undergo third-party assessments every other year in a settlement with the Federal Trade Commission over unfulfilled promises around end-to-end encryption and other privacy and security lapses.

The settlement announced Monday draws attention to an issue where stakeholders often end up talking past each other, without establishing what it means for data to be encrypted end-to-end.

“Since at least 2016, Zoom misled users by touting that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications,” the FTC wrote of its complaint. “End-to-end encryption is a method of securing communications so that only the sender and recipient(s)—and no other person, not even the platform provider—can read the content. In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.”

But dissenting Democratic commissioners said Zoom’s punishment fell far from fitting the crime. 

Minority Commissioner Rohit Chopra said the settlement failed to provide affected consumers with any notice of Zoom’s misrepresentations, any help—the ability to extricate themselves from long-term contracts, for example—or refunds, and assigned no fault to the company.

Chopra also questioned the effectiveness of third-party assessments, noting that these didn’t stop Facebook’s violations, and pointed out that Zoom is likely already subject to third-party assessments from other contracts and orders. 

“Strengthen orders to emphasize more help for individual consumers and small businesses, rather than more paperwork,” Chopra said in laying out an approach to overhaul what he said has become the commission’s status quo behavior.

“It is critical that we restore the agency’s credibility deficit when it comes to oversight of the digital economy,” Chopra wrote. “This does not stem from a lack of authority or resources or capabilities from our staff—it stems from the policy and enforcement approach of the Commission, and this needs to change.”

In her own dissent, Democrat Rebecca Kelly Slaughter focused on a lack of measures around privacy protection, and joined Chopra on the need for recourse to customers and to strengthen the commission’s enforcement efforts across the board.   

Chopra’s vision for a new order at the FTC would also include conducting a rulemaking around data security, based on established precedent, so that financial compensation for victims could be more easily extracted.  

But such actions, as well as decisions on individual cases, require a majority of commissioners’ approval. President-elect Biden would have the power to choose a new chairman. But even if the current chairman resigns, creating a vacancy, Republicans in the Senate could stall the confirmation of a nominee to fill it, leaving the commission split and largely disabled.