Zoom lied to users about end-to-end encryption for years, FTC says

Arstechnica reports that after reaching a settlement with the Federal Trade Commission, Zoom has agreed to upgrade its security practices to what it has been promising its customers for years. Zoom has been reporting since 2016 that it offered ‘end-to-end, 256-bit encryption’ to its secure users. The truth is that while the video conferences are encrypted while in session, the criteria for calling it ‘end-to-end’ is definitely not applicable.

“[S]ince at least 2016, Zoom misled users by touting that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications, when in fact it provided a lower level of security,” the FTC said today in the announcement of its complaint against Zoom and the tentative settlement. Despite promising end-to-end encryption, the FTC said that “Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.”

“The Zoom/FTC settlement doesn’t actually mandate end-to-end encryption, but Zoom last month announced it is rolling out end-to-end encryption in a technical preview to get feedback from users. The settlement does require Zoom to implement measures “(a) requiring Users to secure their accounts with strong, unique passwords; (b) using automated tools to identify non-human login attempts; (c) rate-limiting login attempts to minimize the risk of a brute force attack; and (d) implementing password resets for known compromised Credentials.”