On November 9, the FTC announced a settlement of its complaint against Zoom Video Communications, Inc. The complaint charged Zoom with deceptive and unfair privacy and security practices, including claiming that it offered end-to-end encryption.
The end-to-end encryption claim has garnered the most attention. As the complaint states, Zoom represented that it offered end-to-end encryption. Instead, as this blog has previously explained, Zoom offered transport encryption, which meant that the Zoom service itself could access the unencrypted video and audio content of meetings. This meant that the confidentiality of recorded Zoom meetings depended entirely upon Zoom servers’ security from hackers—a particular concern for some users given that Zoom has servers in China. (As of October 26, Zoom began offering true end-to-end encryption as a technical preview, meaning that the company is proactively seeking feedback from its users.)
Zoom’s consent agreement with the FTC does not specifically mention end-to-end encryption. Rather, the consent agreement requires Zoom to take steps to ensure the confidentiality of “Covered Information,” defined to include an individual’s name, address, email address, social security number, IP address, or other information. The consent agreement also requires Zoom to implement a vulnerability assessment program and to obtain independent assessments of said program.
The FTC consent agreement is the latest in a long line of legal proceedings that have forced Zoom to change its privacy policies and practices since the pandemic began. In May, the New York Attorney General pushed Zoom into agreeing to provide additional security protections, including enhanced encryption protocols. Zoom has also faced an array of private lawsuits, including shareholder litigation, litigation under the California Consumer Privacy Act, and general watchdog litigation.
For more information regarding this article, please contact Sean Griffin.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.