On November 9, the FTC announced a settlement of its complaint against Zoom Video Communications, Inc. The complaint charged Zoom with deceptive and unfair privacy and security practices, including claiming that it offered end-to-end encryption.
The end-to-end encryption claim has garnered the most attention. As the complaint states, Zoom represented that it offered end-to-end encryption. Instead, as this blog has previously explained, Zoom offered transport encryption, which meant that the Zoom service itself could access the unencrypted video and audio content of meetings. This meant that the confidentiality of recorded Zoom meetings depended entirely upon Zoom servers’ security from hackers—a particular concern for some users given that Zoom has servers in China. (As of October 26, Zoom began offering true end-to-end encryption as a technical preview, meaning that the company is proactively seeking feedback from its users.)
Zoom’s consent agreement with the FTC does not specifically mention end-to-end encryption. Rather, the consent agreement requires Zoom to take steps to ensure the confidentiality of “Covered Information,” defined to include an individual’s name, address, email address, social security number, IP address, or other information. The consent agreement also requires Zoom to implement a vulnerability assessment program and to obtain independent assessments of said program.
The FTC consent agreement is the latest in a long line of legal proceedings that have forced Zoom to change its privacy policies and practices since the pandemic began. In May, the New York Attorney General pushed Zoom into agreeing to provide additional security protections, including enhanced encryption protocols. Zoom has also faced an array of private lawsuits, including shareholder litigation, litigation under the California Consumer Privacy Act, and general watchdog litigation.