Zoom Boosts Security After U.S. Claims it Misled Users

Zoom Video Communications Inc. agreed to boost its security to settle claims it misled users about access to online meetings and other issues, the U.S. Federal Trade Commission said.

Since at least 2016, the videoconferencing platform, which skyrocketed in popularity this year because of coronavirus lockdowns, said it offered a higher level of encryption for its meetings than it actually did and also misled participants about the level of security for storing meeting recordings, the FTC alleged Monday in a statement.

“During the pandemic, practically everyone — families, schools, social groups, businesses — is using videoconferencing to communicate, making the security of these platforms more critical than ever,” the director of the FTC’s Bureau of Consumer Protection, Andrew Smith, said in the statement. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

As part of the settlement, Zoom will have to document and assess security risks every other year, develop ways to manage them, deploy more methods to protect against unauthorized access of the network and take other steps, including preventing “the use of known compromised user credentials,” the FTC said.

Zoom said it has already put in place the security improvements required by the settlement with the commission.

“We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs,” Zoom said in a statement. “We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC.”

The company’s shares declined 13% to $434.66 at 1:22 p.m. in New York. The stock dropped as much as 18% earlier Monday, its biggest intraday decline since its April 2019 initial public offering, on news that Pfizer Inc.’s Covid-19 vaccine is more than 90% effective in a trial. Other companies that have benefited during the lockdowns spurred by pandemic, including Peloton Interactive Inc., also fell on the vaccine report. Zoom had jumped more than sixfold this year through Friday’s close, while its tally of daily meeting participants had surged to 300 million from 10 million.

FTC officials said the investigation of Zoom had been going for more than a year, though it was expanded in the spring when new allegations came to light. The settlement doesn’t include a financial penalty against Zoom, but the officials said on a conference call that the company would be subject to civil penalties if it misrepresents its products in the future.

If the agency had litigated claims against Zoom, “we might have gotten more or different relief, but we’d be having this conversation in 2022,” the FTC’s Smith said on the call.

Zoom had hoped that scrutiny over its security lapses was behind it. The company instituted a 90-day security plan on April 1, during which it froze development of other features not related to user privacy and safety. Zoom held public weekly meetings to discuss the updates of its efforts, which focused principally on developing the end-to-end encryption it had long promised. It’s the highest level of data privacy available, in which no one — not even Zoom — can decipher communications. The FTC alleged that claiming to have this form of encryption was one of Zoom’s biggest deceptions. The company has also made it easier for hosts to assert control over meetings by screening, muting and kicking out uninvited guests or disruptors.

Since Zoom’s initial 90-day plan ended, the company has promised periodic updates on security. Zoom is currently on a quest to be an even bigger part of users’ lives, by debuting a service to provide philanthropic, free and paid events, such as yoga or language-learning classes, and has also developed Zapps, a way to better integrate Zoom with more business applications so that workers are more productive on the platform. Chief Financial Officer Kelly Steckelberg said as recently as last month that security is now built into every product the company is developing.

The commission’s three Republicans voted for the settlement, while its two Democrats dissented.

Democratic Commissioner Rohit Chopra said the settlement didn’t go far enough.

“While deciding to resolve a matter through a settlement, regulators and enforcers must seek to help victims, take away gains and fix underlying business incentives,” Chopra said in a statement.