Brown Blasts Zoom Video Communications For Inaccurately Advertising Their End-To-End Encryption Capabilities; Calls For The Federal Trade Commission (FTC) To Investigate
U.S. Sen. Sherrod Brown (D-OH) – ranking member of the U.S. Senate Committee on Banking, Housing, and Urban Affairs – yesterday sent letters to Zoom Video Communications, Inc. and the Federal Trade Commission (FTC) about the company’s virtual meeting technology, including concerns that Zoom may have engaged in deceptive practices by inaccurately advertising end-to-end encryption of its virtual meetings, putting consumers’ information and privacy at risk. Brown called for the FTC to initiate an investigation into Zoom’s virtual meeting products and pressed the company to quickly take steps to protect Americans’ privacy and security.
“The spread of the COVID-19 virus, social distancing and shelter-in-place requirements have forced Americans to move much of their day-to-day interactions online. Schools are educating remotely, consumers are increasingly relying on telehealth appointments, and video conferencing has replaced social gatherings with loved ones,” wrote Senator Brown. “It is unthinkable that Zoom has betrayed consumers’ trust by leading them to believe their conversations are private when, in fact, Zoom ‘has the technical ability to spy on private video meetings.’”
A copy of the letter to Zoom can be found below and here here.
A copy of the letter to Federal Trade Commission can be found below and here.
Mr. Eric S. Yuan
Founder and Chief Executive Officer
Zoom Video Communications, Inc.
Dear Mr. Yuan:
I write with concern that Zoom Video Communications, Inc. is inaccurately advertising the encryption technology used to secure the Zoom virtual meeting product, putting consumers’ information and privacy at risk.
As you know, the technology industry widely defines end-to-end (E2E) encrypted communication systems as ones where only the users doing the communicating can read or hear the messages[1]. In contrast, communication systems that use in-transit encryption make it technologically feasible for service providers to access the contents.
Both Zoom’s website[2] and published security white paper[3] tout end-to-end encryption capabilities for its meetings. On March 31, there were reports that a spokesperson for Zoom admitted: “Currently, it is not possible to enable E2E encryption for Zoom video meetings.”[4] The details provided by your spokesperson imply Zoom’s virtual meeting product uses technologies that the industry would define as in-transit encryption, not the more private E2E encryption.[5]
I acknowledge that your April 1 blog post states that in specific cases you “encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.”[6] However, that blog post left out critical technical details to accurately inform consumers of your encryption methodologies.
Due to the spread of the COVID-19 virus, social distancing and shelter-in-place requirements have forced Americans to move much of their day-to-day interactions online. As evidenced by Zoom’s increase in daily users from 10 million to 300 million over a three-month period, consumers are entrusting your company with their private conversations[7]. It’s not just the general public who is relying on your company to provide the encryption it promises—federal government leaders of the COVID-19 virus response spent $1.3 million of taxpayer money on Zoom licenses[8]. It is unthinkable that Zoom has betrayed consumers’ trust by leading them to believe their conversations are private when, in fact, Zoom “has the technical ability to spy on private video meetings.”[9]
To address these concerns, I respectfully request a response to the following questions no later than April 10, 2020.
1. Please describe the encryption algorithms and key management solutions used in Zoom’s:
a. Free virtual meeting product
b. Healthcare virtual meeting product
c. Government virtual meeting product
2. Do any of your products implement true end-to-end encryption where it is not technologically feasible to decrypt meeting contents on Zoom servers? If so, please provide details.
3. In which scenarios does the Zoom virtual meeting product display a green padlock indicator of security?
4. Does your company utilize a secure development lifecycle process? If so, please provide details.
5. Will you be updating your security white paper and marketing materials to more accurately reflect the encryption provided by your services. If so, please provide a timeline. If not, please explain.
Thank you for your attention to this matter.
Sincerely,
The Honorable Joseph J. Simons
Chairman
Federal Trade Commission
Dear Chairman Simons:
I write to request that the Federal Trade Commission (FTC) open an investigation into Zoom Video Communications, Inc. (Zoom). Based on media reporting and the company’s materials, I believe that the company is engaging in deceptive practices by inaccurately advertising end-to-end encryption of its virtual meetings and putting consumers’ information and privacy at risk.
The technology industry has widely defined end-to-end (E2E) encrypted communication systems as ones where only the users doing the communicating can read or hear the messages[10]. For example, when a message is sent over an E2E encrypted service, it stays encrypted until it reaches its destination—phone providers cannot read the message.
In contrast, a communication system that uses in-transit encryption allows service providers to access the message.[11] These types of communication systems provide encryption between the user and the service provider, but an unencrypted copy of the message is stored on the service provider’s devices.
Both Zoom’s website[12] and published security white paper[13] tout end-to-end encryption capabilities for its meetings. On March 31, there were reports that a spokesperson for Zoom admitted: “Currently, it is not possible to enable E2E encryption for Zoom video meetings.”[14] The technical details provided by Zoom reveals that their video meetings use technologies that the industry would define as in-transit encryption, not the more private E2E encryption.[15] Zoom’s April 1 blog post states that in some cases they “encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.”[16] However, this blog post actually continues Zoom’s consumer deception by not clarifying whether it is technologically feasible for them (or a bad actor) to decrypt the meeting on the Zoom servers. True E2E encryption technology does not allow for any extraneous party to retain the ability to decrypt the message.
Zoom’s representations appear to meet the elements for deception under the FTC Act: Zoom actively represents that it provides end-to-end encryption. That representation is likely to mislead consumers, and such representations about security of the services provided are material to consumers.[17]
Due to the spread of the COVID-19 virus, social distancing and shelter-in-place requirements have forced Americans to move much of their day-to-day interactions online. Schools are educating remotely, consumers are increasingly relying on telehealth appointments, and video conferencing has replaced social gatherings with loved ones. Zoom’s daily users have jumped from 10 million to 200 million in the past three months[18] and federal government leaders of the COVID-19 virus response have spent $1.3 million on Zoom licenses.[19] It is unthinkable that Zoom has betrayed consumers’ trust by leading them to believe their conversations are private when, in fact, Zoom “has the technical ability to spy on private video meetings.”[20]
The FTC has brought enforcement actions against other technology companies that misrepresent the security or privacy they are providing to their users.[21] Given the increased use of Zoom during this crisis, I ask that the FTC immediately open an investigation into what appears to be Zoom’s deceptive representations about the security and privacy it provides to its users.
Thank you for your attention to this matter.
Sincerely,
###
\
[5] Id.
[6] See https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/.
[7] See https://www.reuters.com/article/us-health-coronavirus-zoom/zoom-pulls-in-more-than-200-million-daily-video-users-during-worldwide-lockdowns-idUSKBN21K1C7.
[8] See https://www.forbes.com/sites/thomasbrewster/2020/04/02/why-zoom-really-needs-better-privacy-13-million-orders-show-the-us-governments-covid-19-response-is-now-relying-on-it/.
[9] See supra n. 4.
[15] Id.
[16] See https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/.
[17] See FTC Policy Statement on Deception, available at https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf; see also FTC v. Tashman, 318 F.3d 1273, 1277 (11th Cir.2003) (establishing FTC Act liability if there was representation, the representation was likely to mislead customers, and the representation was material); In the Matter of James V. Grago, Jr, 2019 WL 1932143, at *1 (where FTC found misrepresentations about data encryption deceptive), see also In the Matter of BLU Products, Inc., 2018 WL 2042050, at *1 (where FTC found false representation about user information disclosure to be deceptive).
[18] See https://www.reuters.com/article/us-health-coronavirus-zoom/zoom-pulls-in-more-than-200-million-daily-video-users-during-worldwide-lockdowns-idUSKBN21K1C7.
[19] See https://www.forbes.com/sites/thomasbrewster/2020/04/02/why-zoom-really-needs-better-privacy-13-million-orders-show-the-us-governments-covid-19-response-is-now-relying-on-it/#6a849e3577e8.
[20] See supra n. 5.
[21] See supra n. 7.
Next Article Previous Article
