So…are we gonna talk about Zoom “being on probation” for 20 years by the FTC, or nah?
— Erica Williams (@haircutfw) November 13, 2020
On Nov. 9, 2020, the United States Federal Trade Commission announced a pending settlement with Zoom Video Communications, Inc. According to FTC Matter/File Number: 192 3167, “Zoom Video Communications, Inc. will be required to implement a robust information security program to settle FTC allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.”
Wait — Zoom what now?
Let’s back up a bit.
Founded in 1914, the U.S. Federal Trade Commission is an independent agency that is inherently antitrust, with Section 5 of the FTC Act addressing unfair and deceptive trade practices. But when it comes to consumer privacy, the FTC has been a little more broad and a little less specific with its policies.
The FTC enforces laws like the 1974 Credit Reporting Act and the 2003 CAN-SPAM Act, which give it the authority to regulate, pass judgment and fine companies who do not follow the rules.
But what if the laws are not clear, or if emerging technology doesn’t quite fit them? What if a company can prove its leadership didn’t know they were doing anything wrong, until someone told them that they were?
Enter the consent decree/order. A consent decree is not an admittance of guilt of past actions, but more of a promise to never do the questionable actions again. It’s like saying, “Oh! Sorry, officer, I didn’t realize there was a crosswalk. I will use that from now on instead of jaywalking, which I thought was OK. But yes, now we all agree on the rules, and I will follow them, you will see. I am not bad people.” Sometimes fines are imposed along with the consent decrees, other times the fines are only given if the consent decree is violated.
Part of the typical consent decree is a timeline to adhere to it, which gives the FTC the authority to monitor the company like they are “on probation.” The fines for not complying are outlined in the decree.
If the FTC determines the company is violating the consent decree, then the fines are enforced without any additional negotiations. They essentially have the same power of a court case once they are settled.
However, there is no admittance of guilt — just a promise to play by the rules and the terms of the decree.
In the case at hand, the proposed consent is for Zoom to “to implement a robust information security program to settle FTC allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.”
As I touched upon in a previous column, Zoom had advertised end-to-end encryption for Zoom meetings, which it did not provide. The FTC also found recordings of meetings were being stored unencrypted on servers and in transit to the cloud — the commission was also not happy with how the users were told the ZoomOpener software was a bug fix, but did not explain the software setup a rogue web server that would “circumvent a privacy and security safeguard, or that the software would remain on their computers even after they had deleted Zoom.”
Is it news? Well, considering the recent news cycles, I’m not surprised that it didn’t make bigger headlines.
Are we going to talk about it? Personally, I’m happy to talk more about it sometime if you’d like, we’ve got 20 years, right? Or just stay tuned to rAVe PUBS; I’m sure this won’t be the last time I write about Zoom.