Zoom was previously found to falsely claim to provide 256-bit, full encryption and other security measures, and was investigated and prosecuted by the Federal Trade Committee (FTC). The FTC stated yesterday (9) that Zoom had agreed to introduce a series of security measures in exchange for a settlement.
According to a legal document proposed by the FTC earlier this year, since at least 2016, Zoom has provided end-to-end 256-bit encryption to mislead consumers. However, the FTC survey found that a number of Zoom marketing exaggerations.
First of all, the industry definition of end-to-end encryption includes that no one, including service platform providers, cannot read the content, but Zoom retains the encryption/decryption key to enable access to the user’s meeting, and the encryption key of Zoom is not as good as claimed. 256-bit, but only 128-bit. In addition, Zoom claims that the user's video conference will be encrypted and stored in the cloud after the end, but in fact, these pictures are stored in the Zoom server in an unencrypted state for at least 60 days before being transferred to the encrypted cloud computing storage.
Other "crimes" include that the 2018 Zoom Mac App will silently install and start the ZoomOpener web server after being installed on the user's computer, during which it bypasses the warning mechanism of Apple's Safari browser, allowing users to join the meeting without their knowledge , Trapped users in the risk of being remotely monitored by strangers. And even if you remove the Zoom App, the ZoomOpener web server will still remain on the user's computer. However, Zoom did not disclose this to users. In addition, Zoom was also found to have data stealth and cross-site scripting (XSS) vulnerabilities, the vulnerabilities were only patched after being discovered more than a year ago, and they failed to effectively prevent anonymous activities on the Internet.
As a condition for the reconciliation between the two parties, the FTC requires Zoom to introduce a series of security enhancement measures, including the introduction of multi-factor authentication, data deletion control, prevention of user account secret misappropriation; vulnerability management schemes; and strengthening internal and external security risk control. In addition, Zoom needs to check for loopholes in software updates, not to endanger third-party software, and must honestly announce its privacy and security measures, including the collection, use, and user rights of users' personal information. Finally, Zoom must also agree to a third-party unit to review its security measures twice a year.
FTC also requires that for each violation of the aforementioned requirements in the future, a fine of $43,000 will be imposed.
Zoom has officially provided end-to-end encryption for the paid and free versions at the end of October, starting with the PC and mobile version. Zoom expects to continue to add other security features in 2021, including improved identity management and E2EE single sign-in (SSO) integration.
