The Federal Trade Commission (FTC) on Monday said it had settled with Zoom, the US-based video calling software solutions provider. The FTC had filed a complaint that Zoom had knowingly misled its users about the level of security it used on the video calls.
What is the case against Zoom?
Zoom, a US-based video calling software solution provider came into sudden limelight after lockdowns in various parts of the world forced people to work from home, and opt for video calling solutions to conduct their daily meetings. The company, which had 10 million users in December 2019, saw as many as 300 million users join its platform by April 2020.
Earlier this year, the FTC instituted a suo moto probe against Zoom alleging that it had violated several provisions laid down by the agency, such as failure to conduct adequate training programmes on secure software development principles and lack of security audits before updates to the software were released, among others.
Among the charges leveled against Zoom is also one wherein the FTC claimed that though the company offered to store the meetings of its clients on secured cloud servers, these meetings remained on unsecured cloud servers for more than 60 days before they were moved on to secure locations.
The FTC also alleged that Zoom had lied about having a better ‘end-to-end’ encryption for its users, whereas in reality the company stored “cryptographic keys”, which meant that it could access these meeting anytime it wanted.
What do the charges against Zoom mean?
One of the first charges brought on against Zoom by FTC is that the company deceptively claimed that it had ‘end-to-end’ encryption for all its users. End-to-end encryption means other than the hosts and the attendees, no one else would be able to access the details of the meeting or attend it without permission from the host.
In its probe, however, the FTC found that Zoom had lied about providing end-to-end encryption to all users. Any user, which did not use its paid ‘Connecter’ product was not provided with the end-to-end encryption. The data of most of such users were stored on servers based in China.
Furthermore, Zoom also maintained ‘cryptographic keys’ to these meetings, which meant that the company could access any meeting it wanted to without the host or the attendees of the meeting coming to know about it. A cryptographic key is used to make communication safe and secure between two parties by encrypting the plain text into texts, numbers and symbols. If a company or an individual has access to the cryptographic keys of a private communication, the text of the said communication can be easily decrypted and accessed by them. 📣 Express Explained is now on Telegram
The second major charge brought on by the FTC against Zoom says that the company lied about its ability to store clients’ meeting on secured cloud storage, which were also encrypted for better security. During its probe, the FTC found that the company kept clients’ meetings unencrypted on unsecured cloud servers for up to 60 days before transferring them onto a more secure location. Most of these cloud server are located in China.
The third grave charge against Zoom is that it bypassed user consent in the case of customers using Apple’s operating systems. This meant that Zoom could have been functioning in the background, listening to all the conversations of the user, without the said user ever being alerted about it.
Zoom would also bypass the user’s consent for joining a Zoom meeting and automatically launch the said meeting with video on without the user every clicking to join the said meeting. This, the FTC said, could easily have been exploited by malicious actors by the way of a phishing attack.
Don’t miss from Explained | How big is the Bigbasket data breach?
What will Zoom have to do now?
As a part of its settlement with the FTC, the company will have to undertake several steps, such as implementing a comprehensive information security program for all its employees, and document the same in writing.
The company will also document any security incidents that happen within 12 days of the incident happening and keep a documentation on what data was stolen, how did the information get leaked and others. Zoom must also conduct a quarterly security audit review of its networks and systems and agree to “biennial assessments” of the new security programme that it implements by an independent FTC approved third party auditor.
How does it impact India?
Like the world, many organisations and institutions had shifted to Zoom meetings after a nationwide lockdown was announced in March. Soon after a large number of Indian users joined the platform, several meetings began to be hacked or interrupted. Following this, the Ministry of Home Affairs issued a directive that the meeting of the ministries must not be conducted on Zoom due to the various security vulnerabilities.
Though the conditions imposed by FTC will be applicable on the company’s operations worldwide, it will also be pertinent for Indian regulators to seek a status report from Zoom on its domestic operations and see whether any data was unknowingly kept stored on Chinese servers without the permission of the users, experts said.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines