Zoom Video Communications, Inc.; Analysis To Aid Public Comment
| Published date | 13 November 2020 |
| Record Number | 2020-25130 |
| Section | Notices |
| Court | Federal Trade Commission |
Federal Register, Volume 85 Issue 220 (Friday, November 13, 2020)
[Federal Register Volume 85, Number 220 (Friday, November 13, 2020)]
[Notices]
[Pages 72650-72657]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-25130]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 192 3167]
Zoom Video Communications, Inc.; Analysis To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement; request for comment.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis to Aid Public Comment describes both
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.
DATES: Comments must be received on or before December 14, 2020.
ADDRESSES: Interested parties may file comments online or on paper by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Please write ``Zoom Video
Communications, Inc.; File No. 192 3167'' on your comment, and file
your comment online at https://www.regulations.gov by following the
instructions on the web-based form. If you prefer to file your comment
on paper, mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Linda Holleran Kopp (202-326-2267),
Bureau of Consumer Protection, Federal Trade Commission, 600
Pennsylvania Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC website at this web address: https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before December 14,
2020. Write ``Zoom Video Communications, Inc.; File No. 192 3167'' on
your comment. Your comment--including your name and your state--will be
placed on the public record of this proceeding, including, to the
extent practicable, on the https://www.regulations.gov website.
Due to the public health emergency in response to the COVID-19
outbreak and the agency's heightened security screening, postal mail
addressed to the Commission will be subject to delay. We strongly
encourage you to submit your comments online through the https://www.regulations.gov website.
If you prefer to file your comment on paper, write ``Zoom Video
Communications, Inc.; File No. 192 3167'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex D), Washington, DC 20580; or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024. If possible, submit your paper comment to the
Commission by courier or overnight service.
Because your comment will be placed on the publicly accessible
website at https://www.regulations.gov, you are solely responsible for
making sure your comment does not include any sensitive or confidential
information. In particular, your comment should not include sensitive
personal information, such as your or anyone else's Social Security
number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure your comment does not include
sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted on the https://www.regulations.gov website--as legally
required by FTC Rule 4.9(b)--we cannot redact or remove your comment
from that website, unless you submit a confidentiality request that
meets the requirements for such treatment under FTC Rule 4.9(c), and
the General Counsel grants that request.
Visit the FTC website at http://www.ftc.gov to read this Notice and
the news release describing the proposed settlement. The FTC Act and
other laws that the Commission administers permit the collection of
public comments to consider and use in this proceeding, as appropriate.
The Commission will consider all timely and responsive
[[Page 72651]]
public comments that it receives on or before December 14, 2020. For
information on the Commission's privacy policy, including routine uses
permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (``Commission'') has accepted, subject
to final approval, an agreement containing a consent order from Zoom
Video Communications, Inc. (``Zoom'').
The proposed consent order (``proposed order'') has been placed on
the public record for thirty (30) days for receipt of comments by
interested persons. Comments received during this period will become
part of the public record. After thirty (30) days, the Commission will
again review the agreement and the comments received, and will decide
whether it should withdraw from the agreement and take appropriate
action or make final the agreement's proposed order.
This matter involves Zoom, a videoconferencing platform provider
that provides customers with videoconferencing services and various
add-on services, such as cloud storage. Zoom's core product is the Zoom
``Meeting,'' which is a platform for one-on-one and group
videoconferences. Users can also, among other things, chat with others
in Meetings, share their screens, and record videoconferences.
In its proposed five-count complaint, the Commission alleges that
Zoom violated Section 5(a) of the Federal Trade Commission Act. First,
the proposed complaint alleges that Zoom misrepresented to users since
at least June 2016 that they could secure all Meetings with end-to-end
encryption. End-to-end encryption is a method of securing
communications where an encrypted communication can only be deciphered
by the communicating parties. No other person--not even the platform
provider--can decrypt the communication because they do not possess the
necessary cryptographic keys. Contrary to its representations to users,
Zoom did not provide end-to-end encryption for all Meetings because
Zoom's servers maintained the cryptographic keys that could allow Zoom
to access the content of its customers' Meetings.
Second, the proposed complaint alleges that Zoom misrepresented the
level of encryption it used to secure communications between
participants using Zoom's video conferencing service. Specifically,
Zoom had claimed since at least June 2016 that it secured Meetings, in
part, with Advanced Encryption Standard (AES) and using a 256-bit
encryption key (``AES 256-bit encryption''). The 256-bit encryption key
refers to the length of the key needed to decrypt the communication.
Generally speaking, longer encryption keys provides more
confidentiality protection than shorter keys because there are more
possible key combinations, thereby making it harder to find the correct
key and crack the encryption. Contrary to its representation to users,
Zoom in fact secured its Meetings with AES with a 128-bit encryption
key.
Third, the proposed complaint alleges that Zoom misrepresented
that, for users who opted to store recordings of their Zoom Meetings in
Zoom's secure cloud storage (``Cloud Recordings''), Zoom would process
and store such recordings in Zoom's cloud ``once the meeting has
ended.'' Contrary to its representations to users, Zoom kept Cloud
Recordings on Zoom's servers for up to 60 days, unencrypted, before
transferring them to Zoom's secure cloud storage, where they are then
stored encrypted.
Fourth, the proposed complaint alleges that Zoom violated Section 5
when it installed a local hosted web server (called ``ZoomOpener'') on
3.8 million users' Mac computers. In July 2018, Zoom updated its
application for Mac desktop computers by secretly deploying a web
server onto users' computers. The ZoomOpener web server was designed to
circumvent a security and privacy safeguard in Apple's Safari browser.
Apple had updated its Safari browser to help defend its users from
malicious actors and popular malware by requiring interaction with a
dialogue box when a website or link attempts to launch an outside App.
As a result of the new browser safeguard, users who clicked on a link
to join a Zoom Meeting would receive an additional prompt that read,
``Do you want to allow this page to open `zoom.us'?'' If the user
selected ``Allow'', the browser would connect the user to the Meeting,
while clicking ``Cancel'' would end the interaction and prevent the
Zoom application from launching. The ZoomOpener web server was designed
to avoid this extra prompt. It also remained on users' computers even
after users deleted the Zoom application, and would automatically
reinstall the Zoom app--without any user interaction--if the user
clicked on a link to join a Zoom Meeting or visited a website that had
a Zoom Meeting embedded in it.
The proposed complaint alleges that it was an unfair act or
practice for Zoom, without adequate notice or consent, to circumvent
the Safari browser safeguard without implementing any measures to
compensate for the circumvented privacy and security protections. The
proposed complaint alleges that doing so caused or was likely to cause
substantial injury to consumers, that consumers could not reasonably
avoid themselves, and that was not outweighed by countervailing
benefits to consumers or competition. Apple removed the ZoomOpener web
server from users' computers through an automatic update in July 2019.
Finally, the proposed complaint alleges Zoom violated Section 5
when it represented that it was updating its Mac application to resolve
minor bug fixes, but failed to disclose, or failed to disclose
adequately, the material information that the update would deploy the
ZoomOpener web server, that the web server would circumvent a Safari
browser privacy and security safeguard, or that the web server would
remain on users' computers even after they had uninstalled Zoom's Mac
application.
Part I of the proposed order prohibits Zoom from misrepresenting
its privacy and security practices in the future. It prohibits, for
example, misrepresentations about Zoom's collection, maintenance, use,
deletion, or disclosure of Covered Information; the security features,
or any feature that impacts a third-party security feature, included in
any Meeting Service; or the extent to which Respondent otherwise
maintains the privacy, security, confidentiality, or integrity of
Covered Information. ``Covered Information'' means information from or
about an individual.
Part II of the proposed order requires Zoom to establish,
implement, and maintain a comprehensive information security program
that protects the security, confidentiality, and integrity of Covered
Information. Among other things, Zoom must implement specific security
safeguards, such as a security review for all new software, a
vulnerability management program for its internal networks, security
training for its employees, inventorying personal information stored in
its systems and implementing data deletion policies, and other specific
security measures, such as proper network segmentation and remote
access authentication.
Part III of the proposed order requires Zoom to obtain initial and
biennial data security assessments for twenty years.
Part IV of the agreement requires Zoom to disclose all material
facts to the assessor and prohibits Respondent from
[[Page 72652]]
misrepresenting any fact material to the assessments required by Part
III.
Part V requires Zoom to submit an annual certification from a
senior corporate manager (or senior officer responsible for its
information security program) that it has implemented the requirements
of the Order, and is not aware of any material noncompliance that has
not been corrected or disclosed to the Commission.
Part VI requires Zoom to submit a report to the Commission of its
discovery of any Covered Incident. A ``Covered Incident'' is when any
federal, state, or local law or regulation requires Zoom to notify any
federal, state, or local government entity that information collected
or received by Zoom from or about an individual consumer was, or is
reasonably believed to have been, accessed or acquired without
authorization. Video and audio content are specifically included as a
type of personal information that would trigger notification.
Parts VII through X of the proposed order are reporting and
compliance provisions. Part VII requires acknowledgement of the order
and dissemination of the order now and in the future to persons with
responsibilities relating to the subject matter of the order. Part VIII
ensures notification to the FTC of changes in corporate status and
mandates that the company submit an initial compliance report to the
FTC. Part IX requires the company to create and retain certain
documents relating to its compliance with the order. Part X mandates
that the company make available to the FTC information or subsequent
compliance reports, as requested.
Part XI states that the proposed order will remain in effect for 20
years, with certain exceptions.
The purpose of this analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the complaint or proposed order, or to modify in any
way the proposed order's terms.
By direction of the Commission, Commissioner Chopra and
Commissioner Slaughter dissenting.
April J. Tabor,
Acting Secretary.
Majority Statement of Chairman Joseph J. Simons, Commissioner Noah
Joshua Phillips, and Commissioner Christine S. Wilson
At a time when millions of Americans are using videoconferencing
services on a daily basis, the settlement that the Commission announces
today ensures that Zoom will prioritize consumers' privacy and
security. The Commission's complaint alleges that Zoom made
misrepresentations regarding the strength of its security features and
implemented a software update that circumvented a browser security
feature. The proposed order provides immediate and important relief to
consumers, addressing this conduct. The order requires that Zoom
establish and implement a comprehensive security program that includes
detailed and specific security measures. These obligations include
reviews of all new software for common security vulnerabilities;
quarterly scans of its internal network and prompt remediation of
critical or severe vulnerabilities; and prohibitions against privacy
and security misrepresentations.\1\ This order will enable the
Commission to seek significant penalties for noncompliance. This
settlement provides critical, and timely, relief.
---------------------------------------------------------------------------
\1\ Although the complaint does not allege privacy violations,
the order includes targeted fencing in relief providing privacy
protections to consumers. For example, it prohibits Zoom from
misrepresenting its privacy practices, and requires Zoom to
implement changes to its naming procedures for saving or storing
recorded videoconference meetings, and to develop data deletion
policies and procedures. These and other requirements serve to
protect consumers' privacy as well as the security of their
information and communications.
---------------------------------------------------------------------------
We are confident that the proposed relief appropriately addresses
the conduct alleged in the complaint and is an effective, efficient
resolution of this investigation. Our dissenting colleagues suggest
additional areas for relief that likely would require protracted
litigation to obtain. Given the effective relief this settlement
provides, we see no need for that. Hundreds of millions of people use
Zoom on a daily basis, often for free or through month-to-month
contracts. We feel it is important to put in place measures to protect
those users' privacy and security now, rather than expend scarce staff
resources on speculative, potential relief that a Court would not
likely grant, given the facts here.\2\ Our goal is a safe and secure
Zoom that can continue to provide essential services to enable
Americans to conduct business, engage in learning, participate in
religious services, and stay connected. We applaud the FTC Staff for
their professional and expeditious work to achieve this settlement in
the midst of the pandemic. This case reflects the Commission's ongoing
commitment to work on behalf of consumers to respond to the panoply of
new challenges presented by COVID-19.
---------------------------------------------------------------------------
\2\ Our dissenting colleagues also argue that the settlement is
insufficient because it does not require Zoom to notify consumers of
its past misconduct. The conduct at issue was broadly publicized and
we believe the Commission's press release and business and consumer
education provide ample information for consumers to learn more.
---------------------------------------------------------------------------
Dissenting Statement of Commissioner Rohit Chopra
Summary
When companies deploy deception, this harms customers and
honest competitors, and it distorts the marketplace. This is
particularly problematic when it comes to the digital economy.
Zoom's alleged security failures warrant serious action.
But the FTC's proposed settlement includes no help for affected
parties, no money, and no other meaningful accountability.
The FTC's status quo approach to privacy, security, and
other data protection law violations is ineffective. However,
Commissioners can take a series of concrete steps to change this.
Introduction
Sometimes a new product becomes inextricably linked to the brand
that made it popular. Kleenex, Band-Aids, and Frisbees are examples
where the company became synonymous with the product.\1\ This is
particularly true in the digital economy where products can improve the
use and capability of technology to the point of transforming its role
in everyday life. We use ``Google'' as a verb when referring to use of
a search engine. We ``Uber'' when we need a ride across town. And now,
we ``Zoom'' when referring to videoconferencing. If becoming a verb
threatens a trademark, firms fight against it. If it means becoming the
default product in a market, they fight for it. But, profiting through
unlawful means must come with real consequences.
---------------------------------------------------------------------------
\1\ Mark Abadi, Taser, Xerox, Popsicle, and 31 more brands-
turned-household names, Business Insider (June 3, 2018), https://www.businessinsider.com/google-taser-xerox-brand-names-generic-words-2018-5.
---------------------------------------------------------------------------
Zoom (NASDAQ: ZM) did not invent web-based video conferencing.
Indeed, there are many other players in the market. But Zoom succeeded
in becoming the ``default'' for many businesses, both large and small,
capturing a significant market share despite a crowded field. However,
the allegations in the FTC's complaint raise questions whether Zoom's
success--and the tens of billions of dollars of wealth created for its
shareholders and executives in a short period of time--was advanced
through fair play.\2\ In my
[[Page 72653]]
view, the evidence suggests that deception helped to create this
windfall.
---------------------------------------------------------------------------
\2\ Richard Waters, Zoom to cash in on pandemic success with
apps and events, Financial Times (Oct. 14, 2020), https://www.ft.com/content/f1731672-e965-48a1-9362-bab122fc9bf4.
---------------------------------------------------------------------------
With businesses, families, schools, and even governments using Zoom
to share extremely sensitive information, the alleged security
vulnerabilities of this video conferencing platform raise major
concerns, including threats to our privacy \3\ and national
security.\4\
---------------------------------------------------------------------------
\3\ In her voting statement, Commissioner Rebecca Kelly
Slaughter details some of the key intersections between privacy and
security.
\4\ Sonam Sheth, Foreign intelligence operatives are reportedly
using online platforms and video-conferencing apps like Zoom to spy
on Americans, Business Insider (Apr. 9, 2020), https://www.businessinsider.com/foreign-intelligence-agents-china-spying-on-americans-zoom-2020-4.
---------------------------------------------------------------------------
Today, the Federal Trade Commission has voted to propose a
settlement with Zoom that follows an unfortunate FTC formula. The
settlement provides no help for affected users. It does nothing for
small businesses that relied on Zoom's data protection claims. And it
does not require Zoom to pay a dime. The Commission must change course.
Deception Distorts Competition
When companies need to act quickly to exploit an opportunity,
deploying deception to steal users or sales from competing players is
tantalizing. When video conferencing became a necessity for many
businesses and families, existing players saw a potential gold mine.
Even though we can all technically use multiple videoconferencing
platforms as participants, a videoconferencing provider's monetization
will largely be driven by how many businesses adopt its offering as
their enterprise videoconferencing solution.\5\ FTC prohibitions on
unfair or deceptive practices are supposed to temper the temptation to
deceive customers.
---------------------------------------------------------------------------
\5\ Zoom Video Communications, Inc., Oct. 2019 Quarterly Report
(Form 10-Q) (Dec. 9, 2019), https://www.sec.gov/ix?doc=/Archives/edgar/data/1585521/000158552119000059/zm-20191031.htm.
---------------------------------------------------------------------------
Before the pandemic, Zoom primarily focused on business customers.
Small and large businesses alike were looking for ways to connect with
clients and business partners through video conferencing. Zoom competed
with Microsoft's Skype, Microsoft's Teams, Cisco's WebEx, BlueJeans,
and many other products. Comparison guides point out the different
strong points of each service--from encryption to price.\6\ In the
summer of 2019, Zoom had over 600,000 customers that paid fees to use
Zoom's services.\7\ These customers were overwhelmingly small
businesses.\8\
---------------------------------------------------------------------------
\6\ Kari Paul, Worried about Zoom's privacy problems? A guide to
your video-conferencing options, The Guardian (Apr. 9, 2020),
https://www.theguardian.com/technology/2020/apr/08/zoom-privacy-video-chat-alternatives.
\7\ Compl., In the Matter of Zoom Video Communications, Inc.,
Comm'n File No. 1923167 (Nov. 9, 2020).
\8\ Id.
---------------------------------------------------------------------------
Small businesses often don't have employees dedicated to
information security or even to information technology more broadly.
That's why they rely on representations made by those they purchase
software and services from. Many businesses want to ensure that any
software application they use, including any video conferencing
solution, comes with meaningful security standards. Zoom had to respond
to this critical customer need if it was going to compete. Once the
pandemic shut down workplaces across the country, businesses needed to
find a reliable solution that was also secure. Many chose Zoom.\9\
---------------------------------------------------------------------------
\9\ Matt Torman, 5 Reasons Why Zoom Will Benefit Your Small
Business, Zoom (Jan. 24, 2020), https://blog.zoom.us/zoom-video-communications-small-business-benefits/.
---------------------------------------------------------------------------
Zoom sold its customers on the idea that it was an easy-to-use
service that took ``security seriously.'' However, when examining the
company's engineering and product decisions, a different reality
emerges. For example, as the complaint alleges, Zoom installed a web
server onto users' computers, without permission, as an end-run that
would circumvent a browser security feature--all to avoid an extra
dialogue box.\10\ Zoom went further: Even if you managed to uninstall
Zoom, it would not remove the web server.\11\ And that web server could
secretly re-install Zoom, even without your permission.\12\ This is not
just troubling conduct--this is what some have called ``malware-like''
behavior.\13\
---------------------------------------------------------------------------
\10\ Compl., supra note 7.
\11\ David Murphy, Remove Zoom From Your Mac Right Now,
LifeHacker (July 9, 2020), https://lifehacker.com/remove-zoom-from-your-mac-right-now-1836209383.
\12\ Id.
\13\ Jacob Kastrenakes, Zoom saw a huge increase in
subscribers--and revenue--thanks to the pandemic, The Verge (June 2,
2020), https://www.theverge.com/2020/6/2/21277006/zoom-q1-2021-earnings-coronavirus-pandemic-work-from-home.
---------------------------------------------------------------------------
This fervent attention to detail--going to great lengths to avoid a
single dialogue box--did not extend to the security features it touted
in sales materials.\14\ The FTC's complaint details a litany of serious
security allegations, from not using what is ``the commonly accepted
definition'' of end-to-end encryption to being a year or more behind in
patching software in its commercial environment.\15\
---------------------------------------------------------------------------
\14\ Compl., supra note 7.
\15\ Michael Lee & Yael Grauer, Zoom Meetings Aren't End-to-End
Encrypted, Despite Misleading Marketing, The Intercept (Mar. 31,
2020), https://theintercept.com/2020/03/31/zoom-meeting-encryption/;
Compl., supra note 7; Oded Gal, The Facts Around Zoom and Encryption
for Meetings/Webinars, Zoom (Apr. 1, 2020), https://blog.zoom.us/facts-around-zoom-encryption-for-meetings-webinars/.
---------------------------------------------------------------------------
Zoom's Windfall
Zoom has ``cashed in'' on the pandemic.\16\ While Zoom doesn't
publicly share its total number of users, the company has confirmed
that it has nearly four times the number of customers with 10 or more
employees than they had at this time a year ago.\17\ Their stock value
has soared.\18\ Zoom's CEO, Eric Yuan, has increased his net worth by
almost $16 billion since March, and is now one of the wealthiest
individuals in America.\19\
---------------------------------------------------------------------------
\16\ Richard Waters, Zoom to cash in on pandemic success with
apps and events, Financial Times (Oct. 14, 2020), https://www.ft.com/content/f1731672-e965-48a1-9362-bab122fc9bf4.
\17\ Id.
\18\ Id.
\19\ Taylor Nicole Rogers, Meet Eric Yuan, the founder and CEO
of Zoom, who has made over $12 billion since March and now ranks
among the 400 richest people in America, Business Insider (Sep. 9,
2020), https://www.businessinsider.com/meet-zoom-billionaire-eric-yuan-career-net-worth-life; Kerry A. Dolan et al., The Forbes 400:
The Definitive Ranking of the Wealthiest Americans in 2020, Forbes
(Sep. 8, 2020), https://www.forbes.com/profile/eric-yuan/?list=forbes-400&sh=474b78c761bf.
---------------------------------------------------------------------------
Zoom can now use this new market penetration to increase
monetization for users who currently do not pay any fees. With the
pandemic-driven expansion, Zoom has announced that they're going to
make a platform pivot and begin to offer an app marketplace and a paid
events platform.\20\ Zoom disclosed to its investors how a shift to a
``platform and sales model allow[s] us to turn a single non-paying user
into a full enterprise deployment.'' \21\
---------------------------------------------------------------------------
\20\ Supra note 16.
\21\ Zoom Video Communications, Inc., Quarterly Report (Form S-
1) (Dec. 21, 2018), https://www.sec.gov/Archives/edgar/data/1585521/000095012318012479/filename1.htm.
---------------------------------------------------------------------------
Zoom stands ready to emerge as a tech titan. But we should all be
questioning whether Zoom and other tech titans expanded their empires
through deception.\22\ Zoom could have taken the time to ensure that
its security was up to the right standards. But, in my view, Zoom saw
the opportunity for massive growth by quickly leaping into the consumer
market, allowing it to rapidly emerge as the new way to virtually
celebrate birthdays and weddings and
[[Page 72654]]
further solidify itself into our lives. But had Zoom followed the law,
it might all be different.
---------------------------------------------------------------------------
\22\ Decision and Order, In the Matter of Google Inc., Comm'n
File No. 1023136 (Oct. 24, 2011), https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110330googlebuzzagreeorder.pdf;
Decision and Order, In the Matter of Facebook, Inc., Comm'n File No.
0923184 (July 27, 2012), https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120810facebookdo.pdf.
---------------------------------------------------------------------------
Status Quo Approach to Privacy and Security Settlements
In matters like these, investigations should seek to uncover how
customers were baited by any deception, how a company gained from any
misconduct, and the motivations for this behavior. This approach can
help shape an effective remedy. While deciding to resolve a matter
through a settlement, regulators and enforcers must seek to help
victims, take away gains, and fix underlying business incentives.
Of course, all settlements involve tradeoffs, but like other FTC
data protection settlements, the FTC's proposed settlement with Zoom
accomplishes none of these objectives. This is particularly troubling
given the nature of the alleged deception. Key features of the FTC's
proposed settlement include:
No help. Small businesses that purchased Zoom services or signed
long-term contracts based on false representations are not even
addressed in the Commission's order. They will not have the ability to
be released from any contracts, seek refunds, or get credit toward
future service. Similarly, Zoom's law-abiding competitors and other
consumers affected by the alleged misconduct will not get anything to
address how they were harmed.
No notice. The targets of deception deserve the dignity of knowing
that the product they were using did not use the security features that
were advertised. Notice also provides information on whether or not
users need to take any specific further actions to protect themselves
or their place of business. This is especially critical in cases where
individuals may not know if they are affected. In this matter, Zoom's
technology was integrated into white label products that may not use
Zoom's brand. Notice is also helpful when victims receive no
restitution.
No money. In my view, the evidence is clear that Zoom obtained
substantial benefits through its alleged conduct. However, the
resolution includes no monetary relief at all, despite existing FTC
authority to seek it in settlements when conduct is dishonest or
fraudulent. If the FTC was concerned about its ability to seek adequate
monetary relief, it could have partnered with state law enforcers, many
of whom can seek civil penalties for this same conduct.
No fault. The Commission's order includes no findings of fact or
liability. In other words, Zoom admits nothing and the Commission's
investigation makes no significant conclusions. This will make it more
difficult for affected parties to exercise any contractual rights or
seek help through private actions.
Earlier this year, after a number of security concerns emerged, the
Attorney General of New York quickly took action, and Zoom signed a
voluntary compliance agreement, which requires certain third-party
reports and compliance with additional standards.\23\ The FTC's
proposed settlement terms add some requirements to what Zoom has
already agreed to with New York, largely involving additional
independent monitoring and paperwork submissions. It is not clear to me
that these new obligations are actually changing the way Zoom does
business. In fact, Zoom may already be retaining third parties to
assist with compliance as part of its contractual obligations with its
largest customers.
---------------------------------------------------------------------------
\23\ Press Release, N.Y. Att'y Gen., Attorney General James
Secures New Protections, Security Safeguards for All Zoom Users (May
7, 2020), https://ag.ny.gov/press-release/2020/attorney-general-james-secures-new-protections-security-safeguards-all-zoom-users.
---------------------------------------------------------------------------
Recommendations To Restore Credibility
To protect the public and promote fair markets, the FTC must be a
credible law enforcement agency, especially when it comes to large
players in digital markets. Our recent law enforcement actions raise
questions that warrant careful attention if we aspire to be an
effective enforcer. Below are some of the tangible steps the Commission
should pursue:
1. Strengthen orders to emphasize more help for individual
consumers and small businesses, rather than more paperwork.
When consumers and small businesses are the targets of unlawful
data protection practices, the FTC's status quo approach often involves
requiring the company engaged in misconduct to follow the law in the
future and submit periodic paperwork. In certain orders, the Commission
requires the retention of a third-party assessor, which the company
might already be doing.
The FTC should focus its efforts on ensuring resolutions lead to
meaningful help and assistance to affected consumers and small
businesses. For example, the Commission could seek requirements that
defendants respond to formal complaints and inquiries. This assists
consumers while also allowing the Commission to track emerging harms
and how the company is remediating them.
Another way to help affected consumers and businesses is to order
releases from any long-term contractual arrangements. When customers
are baited with deceptive claims, it would be appropriate to allow them
to be released from any contract lock-in or otherwise amend contractual
terms to make customers whole. This would also help honest competitors
regain some of the market share improperly diverted by deceptive
conduct.
The Commission should seek notices to affected parties, so that
these individuals and businesses can determine whether they need to
take any action and whether they want to continue to do business with a
company that engaged in any wrongdoing.
2. Investigate firms comprehensively across the FTC's mission.
The FTC is a unique institution with legal authorities related to
data protection, consumer protection, and competition, all under one
roof, rather than divided up across multiple agencies. It is critical
that the agency use its authority to deter unfair or deceptive conduct
in conjunction with our authority to deter unfair methods of
competition. The agency can do more to comprehensively use its
authorities across its mission, particularly when unfair or deceptive
practices can advance dominance in digital markets. When we do not,
investigations may result in ineffective resolutions that fail to fix
the underlying problems and may increase the likelihood of recidivism.
The Commission may need to reorganize its offices and divisions to
ensure investigations are comprehensive.
3. Diversify the FTC's investigative teams to increase technical
rigor.
Engineers, designers, and other technical experts can offer major
contributions to our investigative teams. Many of the cases previously
pursued by the FTC were the result of press coverage from technical
experts, especially security researchers. In fact, an independent
researcher working in his private capacity was one of the first to
discover a serious vulnerability in Zoom's product.\24\
---------------------------------------------------------------------------
\24\ The independent research solicited readers for
contributions to assist with his work and pay off his student loans.
Jonathan Leitschuh, Zoom Zero Day: 4+ Million Webcams & maybe an
RCE? Just get them to visit your website!, InfoSec Write-Ups (July
8, 2019), https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5.
---------------------------------------------------------------------------
Many of our peer agencies around the world approach investigations
with diverse, interdisciplinary teams. Unfortunately, the Commission
has deprived our litigators and enforcement
[[Page 72655]]
attorneys of this needed expertise. The Commission should restore the
role of the Chief Technologist and make a concerted effort to increase
the proportion of technologists and others with technical knowledge in
our investigative teams. If these individuals play meaningful
leadership roles in our investigations, the agency can be much more
effective.
With these technical skills and leadership in place, the Commission
could proactively review the dominant digital products and services
rather than primarily following up on concerning media reports after
sensitive information or access has been at risk.
4. Restate existing legal precedent into clear rules of the road
and trigger monetary remedies for violations.
Markets benefit when there are simple, clear rules of the road.
This allows honest businesses to know what is and is not permissible.
This especially helps small businesses and startups. On the other hand,
ambiguity helps large incumbents who can hire lawyers and lobbyists to
sidestep their obligations. The FTC can promote fair markets by
restating accepted legal precedent and past Commission experience
through an agency rulemaking. These would create no new substantive
obligations on market participants. But once restated and enforced,
violations trigger significant monetary relief.
Under the FTC Act, the Commission has a number of authorities to
seek monetary relief. While one of these authorities, Section 13(b), is
under considerable scrutiny in the courts, the Commission can also seek
money by restating existing legal precedent through a rulemaking. When
the Commission has issued prior orders for past misconduct in the
market or there is other information indicating a widespread pattern of
unfair or deceptive conduct, Section 18 of the FTC Act authorizes the
Commission to define what constitutes an unfair or deceptive practice
by rule. Violations of these rules can trigger liability for redress,
damages, penalties, and more.
Over the years, the Commission has finalized a substantial number
of orders related to data protection, including privacy and data
security. There have also been developments in case law in the courts.
The Commission should consider restating this past precedent into a
rule under Section 18 or other appropriate statutes to provide clear
guidance and systematically deter unlawful data protection
practices.\25\
---------------------------------------------------------------------------
\25\ Statement of Commissioner Rohit Chopra Regarding the Report
to Congress on Protecting Older Consumers, Comm'n File No. P144400
(Oct. 19, 2020), https://www.ftc.gov/system/files/documents/public_statements/1581862/p144400choprastatementolderamericansrpt.pdf.
---------------------------------------------------------------------------
5. Demonstrate greater willingness to pursue administrative and
federal court litigation.
Congress intended for the FTC to serve as an expert agency that
analyzes emerging business practices and determines whether they might
be unfair or deceptive. Administrative litigation and final Commission
orders can provide important guidance to the marketplace on the
agency's analytical approach. It can also serve as the basis for
triggering financial liability for other market actors, pursuant to the
Commission's Penalty Offense Authority.\26\
---------------------------------------------------------------------------
\26\ See Rohit Chopra & Samuel A.A. Levine, The Case for
Resurrecting the FTC Act's Penalty Offense Authority (Oct. 29,
2020), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3721256.
---------------------------------------------------------------------------
Federal court litigation pursued by our staff has contributed to
strong outcomes and important development of the law. For example, in
2012, the FTC took action against Wyndham Hotels, a major hospitality
chain the Commission charged with employing unfair data practices.
Wyndham Hotels waged an aggressive defense, challenging the FTC's
theories before the District Court and the Third Circuit Court of
Appeals. The court's ruling cemented the Commission's ability to target
lax data security practices under existing law.
The public benefits from the work of the FTC's talented
investigators and litigators across the agency, and as Commissioners,
we should have confidence that they can hold accountable even the
largest players in the economy. But recently, when it comes to data
protection, FTC Commissioners have rarely voted to authorize agency
staff to sue national players for misconduct. We must do more to
safeguard against any perception about the agency's unwillingness to
litigate.
6. Increase cooperation with international, federal, and state
partners.
When it comes to data protection abuses and other harmful practices
by large technology firms, these concerns are increasingly global. The
FTC can use its resources more effectively and obtain superior outcomes
when it cooperates with other law enforcement partners.
In the Ashley Madison matter, the FTC partnered with the Office of
the Privacy Commissioner of Canada, Office of the Australian
Information Commissioner, and many state attorneys general. This action
was the result of significant cooperation and ultimately led to a joint
resolution.\27\ Unfortunately, this is too rare.
---------------------------------------------------------------------------
\27\ Press Release, Fed. Trade Comm'n, Operators of
AshleyMadison.com Settle FTC, State Charges Resulting From 2015 Data
Breach that Exposed 36 Million Users' Profile Information (Dec. 14,
2016), https://www.ftc.gov/news-events/press-releases/2016/12/operators-ashleymadisoncom-settle-ftc-state-charges-resulting.
---------------------------------------------------------------------------
The FTC can rely on key provisions of the U.S. SAFE WEB Act that
allow the FTC to share information with foreign counterparts to combat
deceptive or unfair practices that cross national borders.
Domestically, agencies can form multistate working groups to combine
resources and leverage a diverse set of legal authorities.
In the matter before the Commission today, the conduct at issue
might have also violated state laws. Additional liability triggered by
these laws could have led to a resolution with a far superior outcome.
Instead, other law enforcement agencies both at home and abroad will
likely need to continue to scrutinize Zoom's practices, given the FTC's
proposed resolution.
In addition, the Commission needs to rethink its approach to
enforcing privacy promises by large technology firms related to their
participation in international agreements, such as the EU-U.S. Privacy
Shield Framework. Zoom's conduct may have violated key aspects of the
framework, and I believe the Commission should have taken action
accordingly. The Commission should now fully cooperate with our
international partners to ensure that they can proceed with appropriate
sanctions.
7. Determine whether third-party assessments are effective.
A common provision in FTC orders requires the defendant to retain a
third party to monitor compliance and the company's data protection
protocols. However, it is unclear whether those assessments are truly
effective when it comes to deterring or uncovering misconduct. For
example, in the FTC's investigation of Facebook for compliance with its
privacy obligations under a 2012 Commission order, the FTC alleged
major violations of the order even though an independent third party,
PriceWaterhouseCoopers (PwC), was supposedly watching over the
company's compliance.\28\
---------------------------------------------------------------------------
\28\ See Nitasha Tiku, Facebook's 2017 Privacy Audit Didn't
Catch Cambridge Analytica, Wired (Apr. 19, 2018), https://www.wired.com/story/facebooks-2017-privacy-audit-didnt-catch-cambridge-analytica/; See also Dissenting Statement of Commissioner
Rohit Chopra In re Facebook, Inc., Comm'n File No. 1823109 (July 24,
2019), https://www.ftc.gov/system/files/documents/public_statements/1536911/chopra_dissenting_statement_on_facebook_7-24-19.pdf.
---------------------------------------------------------------------------
[[Page 72656]]
Additionally, the Commission's decision to not proactively make
certain information about these third party reports public limits our
ability to determine their effectiveness.\29\ If independent
researchers and journalists--often the ones who originally discovered
data protection failures in the first place--had access to these
reports, companies and third-party monitors might take them more
seriously, which would help to fulfill the intended purpose of their
efforts.
---------------------------------------------------------------------------
\29\ Statement of Commissioner Rohit Chopra In the Matter of
Uber Technologies, Inc., Comm'n File No. 1523054 (Oct. 26, 2018),
https://www.ftc.gov/system/files/documents/public_statements/1418195/152_3054_c-4662_uber_technologies_chopra_statement.pdf.
---------------------------------------------------------------------------
Conclusion
This year families have said their final goodbyes to loved ones
over Zoom.\30\ Desperate parents have propped their children in front
of screens for school and hoped that they won't fall too far
behind.\31\ Small businesses have been turned upside down by our new
way of life and have fought for a chance at survival by switching to
doing business virtually.\32\ But when tech companies cheat, rather
than compete, and then face no meaningful accountability, all of us
suffer.
---------------------------------------------------------------------------
\30\ Sarah Zhang, The Pandemic Broke End-of-Life Care, The
Atlantic (June 16, 2020), https://www.theatlantic.com/health/archive/2020/06/palliative-care-covid-19-icu/613072/.
\31\ Heather Kelly, Kids used to love screen time. Then schools
made Zoom mandatory all day long., Wash. Post (Sep. 4, 2020),
https://www.washingtonpost.com/technology/2020/09/04/screentime-school-distance/.
\32\ Justin Lahart, Covid Is Crushing Small Businesses. That's
Bad News for American Innovation., Wall Street J. https://www.wsj.com/articles/covid-is-crushing-small-businesses-thats-bad-news-for-american-innovation-11602235804.
---------------------------------------------------------------------------
I am concerned that Zoom simply thought that the FTC's law
enforcement inquiry wasn't serious. That's probably why the company
didn't even bother to disclose the agency's inquiry to its
investors.\33\ The company seemed to guess that the FTC wouldn't do
anything to materially impact their business. Sadly, for the public,
they guessed right. Given the company's approach, efforts to hold Zoom
accountable by regulators and enforcers in the U.S. and abroad will
clearly need to continue.
---------------------------------------------------------------------------
\33\ Zoom Video Communications, Inc., July 2020 Quarterly Report
(Form 10-Q) (Sep. 3, 2020), https://www.sec.gov/ix?doc=/Archives/edgar/data/1585521/000158552120000238/zm-20200731.htm. When publicly
traded firms do not disclose to their investors that they are facing
a federal law enforcement inquiry, this suggests that they do not
believe the inquiry is material to their financial or operational
performance.
---------------------------------------------------------------------------
Finally, the Federal Trade Commission has requested greater
authority from Congress to protect Americans from abuse and misuse of
personal data. But, actions like today's proposed settlement undermine
these efforts. The agency must demonstrate that it is willing to use
all of its existing tools to protect consumers and the market. Only
then will the Commission be entrusted to take on more responsibilities.
It is critical that we restore the agency's credibility deficit
when it comes to oversight of the digital economy. This does not stem
from a lack of authority or resources or capabilities from our staff--
it stems from the policy and enforcement approach of the Commission,
and this needs to change.
For these reasons, I respectfully dissent.
Dissenting Statement of Commissioner Rebecca Kelly Slaughter
Most weekday mornings, my two elementary-age children log on to
school through Zoom. Their faces, voices, and occasional silliness are
all captured in the Zoom classroom. I try not to dwell on what might
occasionally float through in the background of their camera or
microphone, but, like many families, we've had moments in our home
where we are very much live. After my older kids settle in for class,
my own workday begins in earnest and typically involves a series of
confidential discussions often made possible through a Zoom meeting. My
experience is not unique: Zoom expanded from 10 million daily users
last December to over 300 million daily participants this spring.
Zoom's overnight expansion from a modest video conferencing company to
a company providing critical infrastructure for business, government,
education, and social connection raises important questions for the
Commission's obligations to protect consumer security and privacy.
Years before the global pandemic would make Zoom a household name,
the company made decisions that threatened the security and privacy of
its longstanding core business customers. Yet the Commission's proposed
settlement provides no recourse for these paying customers. When Zoom's
user base rapidly expanded, its failure to prioritize privacy and
security suddenly posed a much more serious risk in terms of scope and
scale. This proposed settlement, however, requires Zoom only to
establish procedures designed to protect user security and fails to
impose any requirements directly protecting user privacy. For a company
offering services such as Zoom's, users must be able to trust that the
company is committed to ensuring security and privacy alike.
Because the proposed resolution fails to require Zoom to address
privacy as well as security, and because it fails to require Zoom to
take any steps to correct the deception we charge it perpetrated on its
paying clients, I respectfully dissent.\1\
---------------------------------------------------------------------------
\1\ See Complaint ]] 16-33.
---------------------------------------------------------------------------
Zoom's Practices
As set forth in the Commission's complaint, Zoom engaged in a
series of practices that undermined the security and privacy of its
users. First, we allege Zoom made multiple misrepresentations about its
use of encryption. As charged in the complaint, Zoom made false
statements about its encryption being ``end-to-end,'' the level of
encryption that it offered, and the time it took to store recorded
meetings in an encrypted server.\1\
Zoom's problematic conduct was not limited to deception. The
complaint charges that beginning in July 2018, Zoom secretly and
unfairly deployed a web server, called the ``ZoomOpener,'' to
circumvent certain Apple privacy and security safeguards enjoyed by
Safari browser users. Because of these safeguards, Safari users who
clicked on a link to join a Zoom meeting would receive an additional
prompt that read, ``Do you want to allow this page to open `zoom.us'?''
\2\ That is until, we allege, Zoom overrode this feature through its
secret ZoomOpener, which bypassed the Safari safeguard to directly
launch the Zoom App.\3\ The user was then automatically placed in the
Zoom meeting, and, if the user had not changed her default video
settings, her webcam was activated.\4\
---------------------------------------------------------------------------
\2\ Complaint ] 35. If the user selected ``Allow,'' the browser
would connect the user to the Zoom meeting. Id. This safeguard was
not specific to Zoom; Apple had designed its Safari browser to help
defend its users from malicious actors and popular malware by
requiring interaction with a dialogue box whenever any website or
link attempted to launch an outside app. Id. at ] 34.
\3\ Id. at ] 36.
\4\ Id. at ] 37.
---------------------------------------------------------------------------
In addition to these unfair and deceptive practices, which the
Commission charged as law violations, there has been extensive public
reporting on several other Zoom practices that raised serious privacy
concerns. For example, Zoom business customers who subscribed to a
service called ``LinkedIn Sales Navigator'' had access to LinkedIn
profile data about other users in a meeting--even when the other user
wished to remain
[[Page 72657]]
anonymous.\5\ Additionally, Security researchers found that Zoom-
meeting video recordings saved on Zoom's cloud servers had a
predictable URL structure and were thus easy to find and view.\6\ And
of course there was widespread coverage of ``Zoom-bombing,'' in which
uninvited users crashed Zoom meetings.\7\ Zoom took steps to address
these vulnerabilities after they surfaced by changing naming
conventions, permanently removing the LinkedIn Sales Navigator app,\8\
and requiring meeting passwords as the default setting for more Zoom
users,\9\ but these problems suggest Zoom's approach to user privacy
was fundamentally reactive rather than proactive.
---------------------------------------------------------------------------
\5\ See Aaron Krolik and Natasha Singer, A Feature on Zoom
Secretly Displayed Data From People's LinkedIn Profiles, N.Y. Times
(Apr. 2, 2020), https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html. Zoom subsequently stated that it had disabled
the feature.
\6\ See Paul Wagenseil, Zoom security issues: Here's everything
that's gone wrong (so far), Tom's Guide (Nov. 3, 2020), https://www.tomsguide.com/news/zoom-security-privacy-woes.
\7\ See Jay Peters, Zoom adds new security and privacy measures
to prevent Zoombombing, The Verge (Apr. 3, 2020), https://www.theverge.com/2020/4/3/21207643/zoom-security-privacy-zoombombing-passwords-waiting-rooms-default.
\8\ See Eric S. Yuan, A Message To Our Users, Zoom Blog (Apr. 1,
2020), https://blog.zoom.us/a-message-to-our-users/.
\9\ See Deepthi Jayarajan, Enhanced Password Capabilities for
Zoom Meetings, Webinars & Cloud Recordings, Zoom Blog (Apr. 14,
2020), https://blog.zoom.us/enhanced-password-capabilities-for-zoom-meetings-webinars-cloud-recordings/.
---------------------------------------------------------------------------
Lack of Privacy Protections
Too often we treat data security and privacy as distinct concerns
that can be separately preserved. In reality, protecting a consumer's
privacy and providing strong data security are closely intertwined, and
when we solve only for one we fail to secure either. The Commission's
proposed order resolving its allegations against Zoom requires the
company to establish an information-security program and submit to
related independent third-party assessments. These provisions strive to
improve data-security practices at the company and to send a signal to
others regarding the baseline for adequate data-security
considerations. Nowhere, however, is consumer privacy even mentioned in
these provisions. This omission reflects a failure by the majority to
understand that the reason customers care about security measures in
products like Zoom is that they value their privacy.
Some might argue that sound data security practices should
naturally guarantee consumer privacy. I disagree. Strong security is
necessary for consumer privacy, but it does not guarantee its
achievement. Zoom's launch of its ``ZoomOpener'' to undermine the Apple
Safari browser protections is an instructive example. Zoom prioritized
maintaining its one-click functionality for users over privacy and
security protections offered by Apple. The Commission's proposed order
tries to solve for this problem solely as a security issue and makes it
difficult for Zoom to bypass third-party security features in the
future. But the order does not address the core problem: Zoom's
demonstrated inclination to prioritize some features, particularly ease
of use, over privacy protections. Dumping Safari users automatically
into a Zoom meeting, with their camera on, the first time they clicked
on a link was not only a data-security failing--it was a privacy
failing.
Similarly, we often discuss data encryption as a security issue,
which of course it is, but we should simultaneously be recognizing it
as a privacy issue. When customers choose encrypted communications, it
is because they value their privacy in the content of their
conversations. Treating encryption failures as a security-only issue
fails to recognize the important privacy implications.
The FTC has approached privacy and security issues with related but
distinct remedies: by imposing a comprehensive privacy program (as we
did in FTC v. Uber) or by imposing a comprehensive information security
program (as we did in FTC v. Equifax). This case provides a perfect
example of a place where we ought to have required elements of both
privacy and security programs. A more effective order would require
Zoom to engage in a review of the risks to consumer privacy presented
by its products and services, to implement procedures to routinely
review such risks, and to build in privacy-risk mitigation before
implementing any new or modified product, service, or practice. The
Commission required this type of privacy-focused inquiry in the
``Privacy Review Statement'' provisions of its order in the FTC v.
Facebook matter.\10\ Privacy-focused provisions such as these should
either be added to relevant data-privacy orders as a separate privacy
program or review, or the Commission's information security programs
should be modified to better integrate privacy and security.
---------------------------------------------------------------------------
\10\ To be clear, I am not suggesting that Zoom's conduct giving
rise to this matter and Facebook's order violations are equivalents.
Nor do the companies share similar business models. But in terms of
the importance of consumer privacy, hundreds of millions of users
are entrusting Zoom with some of their most sensitive interactions,
and they are doing so from their homes.
---------------------------------------------------------------------------
When companies offer services with serious security and privacy
implications for their users, the Commission must make sure that its
orders address not only security but also privacy.
No Recourse for Customers
As of July 2019, Zoom had approximately 600,000 paying customers,
and approximately 88% of those customers were small businesses with ten
or fewer employees.\11\ In securing these customers, the Commission
charges that Zoom made express representations regarding its encryption
offerings that were false. Yet, the proposed order does not require
Zoom to take any steps to mitigate the impact of these statements we
contend are false. Zoom is not required to offer redress, refunds, or
even notice to its customers that material claims regarding the
security of its services were false. This failure of the proposed
settlement does a disservice to Zoom's customers, and substantially
limits the deterrence value of the case.
---------------------------------------------------------------------------
\11\ Complaint ] 9.
---------------------------------------------------------------------------
Finally, I join Commissioner Chopra's call for the Commission to
engage in critical reflection to strengthen our enforcement efforts
regarding technology across the board--from investigation to
resolution.\12\
---------------------------------------------------------------------------
\12\ Commissioner Chopra's dissenting statement sets forth an
excellent list of Recommendations and Corrective Actions for the
Commission to consider to improve the effectiveness of our
enforcement efforts.
[FR Doc. 2020-25130 Filed 11-12-20; 8:45 am]
BILLING CODE 6750-01-P
