Zoom agreed to a settlement with the Federal Trade Commission Nov. 9 over allegations that the videoconferencing company engaged in "deceptive and unfair" security practices.
In March, HHS relaxed HIPAA regulations to allow providers to participate in telehealth visits with patients via their personal phones and on platforms including Zoom, FaceTime, Skype and more.
Seven details:
1. The misleading security practices came to light once use of the videoconferencing platform skyrocketed at the start of the COVID-19 pandemic. In December 2019, Zoom had about 10 million daily meeting participants, which grew to 300 million in April, according to the news release.
2. In April, The Wall Street Journal reported that Zoom was struggling to manage the dramatic influx in users and privacy issues. While the company originally marketed itself as having end-to-end encryption to safeguard conversations, security experts later found that the promised level of protection didn't exist.
3. In its complaint, the FTC alleged that since at least 2016, Zoom has been misleading users by claiming it offers end-to-end encryption, which secures online communications so that only the sender and recipient can read the content.
4. The FTC claimed that Zoom actually maintained access to the content of its customers' messages and used a lower level of encryption than promised to secure its Zoom meetings. Zoom's misleading claims gave users a false sense of privacy, especially for those who used the platform to discuss topics such as healthcare, the FTC said.
5. The FTC also alleged that Zoom compromised the security of some users when it secretly installed its ZoomOpener web server software as part of a manual update for its Mac desktop application in July 2018. The software allowed Zoom to automatically launch a meeting by bypassing an Apple internet browser safeguard that protected users from malware.
6. As part of the settlement, Zoom will participate in a comprehensive information security program that will require the company to assess and document any potential internal and external security risks annually; implement a vulnerability management program; and introduce safeguards such as multi-actor authentication to protect against unauthorized access to its network. The resolution does not include a financial component.
7. The settlement prohibits Zoom from making any misrepresentations about its privacy and security practices, including how it collects, uses, maintains and discloses personal information. The company's security program also must undergo biennial assessments by an independent third party.
"We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs," A Zoom spokesperson said in an emailed statement to Becker's. "We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. … The resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience."