Daily life has changed a lot since the pandemic started. Because face-to-face interactions aren’t possible for so many of us, we’ve turned to videoconferencing for work meetings, school, catching up with our friends, even seeing the doctor.
When we rely on technology in these new ways, we share a lot of sensitive personal information. We may not think about it, but companies know they have an obligation to protect that information.
The FTC just announced a case against videoconferencing service Zoom about the security of consumers’ information and videoconferences, also known as “Meetings.” The FTC claimed that Zoom failed to protect users’ information in a variety of ways:
- Zoom said it provided end-to-end encryption — a way to protect communications so only the sender and the recipient can see it — for Zoom Meetings. It didn’t.
- Zoom said it secured Meetings with a higher level of encryption than it actually provided.
- Zoom told users who recorded a Meeting that it would save a secure, encrypted recording of the meeting when it ended. In reality, Zoom kept unencrypted recordings on its servers for up to 60 days before moving them to its secure cloud storage.
- Zoom installed software, called ZoomOpener, on Mac users’ computers. This software bypassed a Safari browser security setting and put users at risk — for example, it could have allowed strangers to spy on users through their computer’s web cameras. Or hackers could have exploited the vulnerability to download malware onto — and take control of — users’ computers. If users deleted the Zoom app, the ZoomOpener remained, as did these security vulnerabilities. Zoom could re-install the app without the user’s permission and without letting them know. (Apple removed the ZoomOpener web server from users’ computers in 2019.)
- Zoom didn’t give users the straight scoop about the ZoomOpener software. Zoom said the software was a bug fix, but didn’t tell users that it would be installing a web server that would circumvent a privacy and security safeguard, or that the software would remain on their computers even after they had deleted Zoom.
Zoom agreed to settle the charges brought by the FTC. Though Zoom has now discontinued many of the practices challenged in the complaint, the settlement puts your security top of mind for Zoom. It requires Zoom to live up to its privacy and security promises and to put in place a comprehensive security program designed to protect your information for many years to come — or pay big fines.
Check out our consumer tips to see how you can stay safe while video conferencing. And if you use video conferencing as part of your business operations, see Video conferencing: 10 privacy tips for your business.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.