Zoom must adhere to strict security standards to satisfy an agreement with the Federal Trade Commission, the commission announced Monday.
The video conferencing company and an omnipresent fixture of the COVID-19 lockdowns has had a string of security controversies dating back to last year, including services it advertised, but did not offer. In May, it was discovered the app was not end-to-end encrypted as advertised. Other discoveries included video recordings not being immediately encrypted and, between 2018 and 2019, installation of a "ZoomOpener" webserver module on Macs that bypassed Apple's security.
The agreement between the FTC and Zoom will soon be published in the Federal Register before undergoing a 30-day public comment period. As it currently stands, Zoom agrees not to mislead the public about security features and regularly audit its security in a variety of ways. It also agrees to follow standardized processes for video file naming, personal data deletion, and investigating security events.
Following recent criticism, Zoom announced a flurry of new security efforts. It starting to roll out end-to-end encryption in October. The company added former SalesForce executive Jason Lee as a new chief information officer and added support for two-factor identification. Zoom also announced it had contracted Bugcrowd to run a bounty program.
"Zoom is very active with their bug bounty program and has been responsive to researcher and Bugcrowd feedback," BugCrowd CEO Ashish Gupta told SC Media Zoom in October. "They have hired additional experts with vast experience in bug bounty programs to help manage their internal processes and further benefit from the power of the security researchers submitting on their bug bounty program."
Apple removed the OpenZoom app from all Macs in 2019.
In a statement to the media, the FTC said it believed the agreement would ultimately make consumers safer.
“During the pandemic, practically everyone — families, schools, social groups, businesses — is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”