After Zoom made false statements about the security of the video conference software for years, the provider has committed to the US trade authority FTC to strengthen the security measures. The company does not have to pay fines and the users concerned do not receive any compensation. This was announced by the US trade authority and also provided further information about the allegations against the company. This has not only advertised for at least 2016 a stronger encryption of the video conferences than was used, but also not protected the data as promised elsewhere.

A winner of the corona crisis Zoom has been offering its software for video conferences for years, In the course of the global restrictions in the fight against the new type of corona virus, the number of users really exploded in spring. Within a few weeks, the number of daily users increased from 10 to 200 millions. The increased attention had drawn IT experts on the scene and caused criticism of the company’s data protection practices. Zoom reacted and got the respected expert Alex Stamos on board as a consultant. Zoom has been offering real end-to-end encryption since the end of October.

As the FTC now states, Zoom has at least since 2016 claims to use “256 – bit-end-to-end encryption”, although much less secure technology was used. IT security experts made this public in April, after which Google, for example, banned the use of Zoom. In addition, Zoom kept the keys himself and was able to access the content. Information about the storage of the video data on Zoom’s servers was also misleading, where it had been unencrypted for up to 60 days before it was moved to secure cloud storage. A software called ZoomOpener for bypassing warnings on Macs ultimately endangered the safety of users, for example by automatically reinstalling the Zoom software once it had been uninstalled under certain circumstances.

That the FTC despite these violent allegations has waived penalties with the votes of the three Republicans in the commission, the two commissioners criticize the Democrats. The company does not have to pay back fees or make amends. Affected users do not even have to be informed, criticizes Commissioner Rebecca Kelly Slaughter. The company was only obliged to regularly review security risks and develop protective measures. In addition, users should be better protected, for example through multi-factor authentication of the accounts. False promises about data protection and the security of the software are also prohibited.

(mho)