This time last year, “Zoom” was just a word associated with speed. But the pandemic has made the video conferencing platform Zoom an everyday tool for business people to discuss trade secrets, doctors and mental health professionals to discuss sensitive patient information, children to finish school and the rest of us to share everyday details. Family matters that need to be kept secret in today’s life. According to a just-released FTC complaint, Zoom allegedly engaged in deceptive and unfair practices that misled consumers about the security of communications on the platform and put some users at risk when the company broke security features built into the Safari browser. The proposed settlement would require Zoom to live up to its security commitments and implement a comprehensive plan to protect consumer information going forward.
Just use Zoom a few times and you’ll understand the breadth of data the company collects: names, email addresses, general locations, credit card numbers, attendees’ identities, and a wealth of information collected when people use the service, including chats. , messages, files, and recorded meetings are stored in Zoom’s cloud storage. Zoom is apparently aware of consumer concerns about the security of its communications, claiming on its website and elsewhere that it “takes security seriously,” “regards privacy and security as its highest priority,” and is “committed to protecting your privacy and security.” . privacy. “
Zoom touts “end-to-end AES 256-bit encryption” for all its meetings on its website, in its app, in its security guide and in direct communications with potential customers. End-to-end encryption is a way to secure communications so that only the sender and receiver – others, even the platform provider – can read the content. AES 256-bit encryption is a very high level of encryption used to protect “top secret” messages. According to a 2015 Zoom blog post, “Zoom uses AES 256 encryption” making it “impossible for hackers to obtain anything other than hopelessly garbled transmissions.” . . . The company also told healthcare providers that “end-to-end AES 256-bit encryption of all meeting data and instant messages” makes the platform suitable for the enhanced security needs of telehealth video conferencing.
That’s what the company claimed, but the FTC said Zoom delivered much less. In fact, Zoom does not provide end-to-end encryption for most Zoom meetings because Zoom’s servers, including some in China, maintain encryption keys that allow Zoom to access the content of its customers’ meetings. Additionally, the FTC said the company’s claims about “256-bit encryption” were false or misleading because Zoom offers a lower level of encryption and offers less protection.
For paying customers, Zoom also offers the option to store recorded meetings in the Zoom secure cloud immediately after the meeting ends. However, according to the FTC, the recordings were stored unencrypted on Zoom’s servers for up to 60 days before being transferred to Zoom’s secure cloud storage, where they were stored encrypted.
The FTC also claimed that Zoom installed software called ZoomOpener for Mac users, which raised special privacy and security concerns. Mac users will want to read the complaint for details, but here’s the summary. To help protect against malware and malicious actors, Apple has updated its Safari browser to require users to interact with a dialog box when a website or link attempts to launch an external application. Therefore, if a consumer receives an invitation link to a Zoom meeting, they must click “OK” to open the Zoom app and join the meeting. However, in order to avoid this dialog box, Zoom updated the Mac version of the application using the ZoomOpener software in July 2018. The company claimed the update was intended to address “minor bug fixes,” but the FTC said Zoom had other purposes. In fact, Zoom’s “fix” circumvents this security measure in Apple’s Safari browser. The result: consumers can automatically join Zoom meetings and their cameras will be automatically activated unless they change the default Zoom video settings.
Importantly, Zoom has taken no countervailing measures to protect users, and the FTC alleges that Zoom’s behind-the-scenes tactics put Mac users at risk. For example, bad actors may send phishing emails that are actually disguised Zoom invitations. If consumers click on a link, it could open a Zoom meeting without their permission and allow strangers to spy on them through their webcam or install malware on their computers. Even if a user deletes the Zoom application, ZoomOpener and its attendant vulnerabilities remain. What’s more, Zoom can reinstall the Zoom app without the user’s permission or knowledge. Apple removed the ZoomOpener web server from user computers in 2019.
The proposed administrative complaint accuses Zoom of violating the Federal Trade Commission Act by making deceptive claims about end-to-end encryption, false promises about the level of encryption it provides, and misleading statements about secure cloud storage of recorded meetings. In addition, the FTC alleged that Zoom unfairly circumvented third-party privacy and security protections by installing ZoomOpener, and that Zoom deceptively failed to provide consumers with complete information about ZoomOpener.
The proposed settlement prohibits Zoom from making various misrepresentations related to privacy and security. It also requires Zoom to implement a far-reaching information security program that includes security reviews of all new software before release, a vulnerability management plan, regular security training for all employees, specialized training for developers and engineers, and qualified A third party conducts independent program evaluations within 180 days and then every other year for the next 20 years. Once the proposed settlement is published in the Federal Register, the FTC will accept public comments for 30 days.
Although Zoom has ceased most of the practices challenged in the complaint, the most effective means of future compliance is a comprehensive security overhaul that is evaluated by a qualified third party, monitored by the FTC, and enforced in court. The hundreds of millions of consumers who rely on Zoom every day to conduct business, get health care, educate their children, and connect with their families have a right to expect that the company will take steps to protect their personal information.
Looking for more information about using video conferencing platforms? Read Video Conferencing: 10 Privacy Tips for Your Business.
from Tech Empire Solutions https://techempiresolutions.com/spotlight-on-zooms-unfair-and-deceptive-security-practices-more-on-ftc-settlement/
via https://techempiresolutions.com/
No comments:
Post a Comment