In re Zoom

Concerning Zoom's ability to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user.

• Background |
• Legal Documents |
• News

In July 2019, EPIC filed a complaint with the FTC alleging that Zoom had committed "unfair and deceptive practices" in violation of the FTC Act. According to EPIC, Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks.

EPIC has brought many similar consumer privacy complaints to the FTC, including the complaint that led to the FTC consent order against Facebook and the complaint that led to the FTC consent order against Google, which later produced a $22.5 m fine.

However, the FTC failed to act on EPIC's 2019 complaint against Zoom.

Top News

• EPIC, Coalition Urge FTC to Address Privacy in Zoom Settlement: EPIC, the Center for Digital Democracy, the Campaign for a Commercial-Free Childhood, the Parent Coalition for Student Privacy, and Consumer Federation of America today sent comments to the FTC urging the agency to address privacy in its proposed Consent Order with Zoom. The groups recommended that the FTC modify the Order to require Zoom to (1) implement a comprehensive privacy program; (2) obtain regular independent privacy assessments and make those assessments available to the public; (3) provide meaningful redress for victims of Zoom’s unfair and deceptive trade practices; and (4) ensure the adequate protection and limits on the collection of children’s data. In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April 2020, EPIC wrote to Chairman Simons urging the FTC to open an investigation. EPIC has long advocated for the creation of a U.S. data protection agency. (Dec. 14, 2020)
• FTC Fails to Address Privacy in Settlement with Zoom: The FTC has reached a settlement with Zoom requiring the company to address data security but fails to address user privacy. Writing in dissent, Commissioner Slaughter said, "When companies offer services with serious security and privacy implications for their users, the Commission must make sure that its orders address not only security but also privacy." Commissioner Chopra, also dissenting, wrote "The FTC’s status quo approach to privacy, security, and other data protection law violations is ineffective." In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April 2020, EPIC wrote to Chairman Simons urging the FTC to open an investigation. EPIC has long advocated for the creation of a U.S. data protection agency. (Nov. 9, 2020)

More top news

Zoom, Twitter Failures Highlight Discriminatory Impact of Facial Recognition + (Sep. 30, 2020)

A pair of recent discoveries about Zoom and Twitter's facial recognition algorithms highlights the discriminatory impact of such systems and reinforces EPIC's call for a moratorium on face surveillance. Technologist Colin Madland recently tweeted images showing that Zoom's facial recognition tool failed to recognize a black colleague's face when using a digital background–even though it easily identified Madland's face. In subsequent tweets from the same thread, it became apparent that Twitter's image preview system also had a strong bias toward centering images on white faces over black faces. Twitter said it had previously tested the system for bias, but the company will now "open source [its] work so others can review and replicate." A 2019 study from NIST of a majority of facial recognition vendors found significant rates of racial bias. In addition to calling for a moratorium on facial surveillance, EPIC advocates for algorithmic transparency and a comprehensive federal data privacy law.

In Reversal, Zoom Will Make Enhanced Encryption Available to All Users + (Jun. 18, 2020)

Zoom announced Wednesday that it will make enhanced encryption measures available to all users of the videoconferencing platform who provide a cell phone number—not just those who pay for the service. Earlier this month, Zoom said it would allow some of its users to fully encrypt their video communications, a response to the security and privacy flaws that EPIC and others have identified. But the company initially stated that Zoom administrators would retain the ability to access the real-time communications of non-paying users. Last year, EPIC sent a detailed complaint to the FTC citing numerous privacy and security flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April, EPIC urged the FTC to open an investigation. Zoom’s rollout of enhanced encryption follows a recent settlement with the New York Attorney General over the company’s consumer safeguards.

Zoom's Additional Encryption Measures Will Only Protect Paying Users + (Jun. 5, 2020)

The enhanced encryption measures announced by Zoom this week will only protect paying customers of the videoconferencing platform, according to the company’s CEO. Although Zoom said it will allow paying users to fully encrypt their video communications—a response to the security and privacy flaws that EPIC and others have identified—the platform will still be able to access the real-time communications of non-paying users. “Free users for sure we don't want to give [end-to-end-encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said. Last year, EPIC sent a detailed complaint to the FTC citing numerous privacy and security flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April, EPIC urged the FTC to open an investigation. Zoom’s announcement follows a recent settlement with the New York Attorney General over the company’s consumer safeguards.

New York AG Reaches Agreement with Zoom over Privacy Violations + (May. 8, 2020)

New York Attorney General Letitia James has announced an agreement with Zoom Video Communications following an investigation into Zoom's consumer safeguards. Zoom agreed to enhance encryption protocols, perform yearly penetration testing, and add privacy-enhancing features to its platform. The agreement also provides enhanced privacy controls for education accounts. Last month, EPIC urged the FTC to issue best practices for online conferencing.

EPIC Seeks Records About FTC's Investigation of Zoom + (Apr. 16, 2020)

EPIC has filed an urgent Freedom of Information Act request with the FTC seeking records about the status of the Zoom investigation. This week, FTC Commissioner Noah Phillips declined to say whether the agency is investigating Zoom. The Commissioner's statement follows widespread reporting on privacy and security problems with the video conferencing service. In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." Last week urged the FTC to open an investigation. In a recent letter to FTC Chairman Simons, Senator Sherrod Brown stated, "I believe that the company is engaging in deceptive practices by inaccurately advertising end-to-end encryption of its virtual meetings and putting consumers' information and privacy at risk."

EPIC Urges FTC to Investigate Zoom, Issue Best Practices for Online Conferencing + (Apr. 5, 2020)

In a letter to FTC Chairman Joe Simons, EPIC urged the FTC to "open an investigation of Zoom's business practices and to issue, as soon as practicable, Best Practices for Online Conferencing Services." The EPIC letter followed a 2019 complaint from EPIC warning that Zoom had "placed at risk the privacy and security of the users of its services." EPIC also explained to the FTC that Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." In the April 2020 letter to the Commission, EPIC reminded the Commission that it acted on similar complaints from EPIC concerning Facebook and Google but failed to act on the Zoom complaint. EPIC cited widespread reports of privacy and security flaws with the online conferencing service. EPIC wrote, "Now more than ever, the Federal Trade Commission has a responsibility to safeguard American consumers. We urge you to act."

State Attorneys General Investigate Zoom + (Apr. 3, 2020)

The Attorneys General from several states including New York, Connecticut, and Florida are investigating Zoom's privacy and security practices. The New York AG stated that she was "concerned that Zoom's existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network." Last year, EPIC filed a complaint about Zoom security practices with the Federal Trade Commission. EPIC explained that Zoom had "placed at risk the privacy and security of the users of its services." EPIC's 22-page analysis detailed how Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." The Federal Trade Commission failed to act on EPIC's 2019 Zoom complaint.

Senator Blumenthal Calls on Zoom to Address Privacy Issues + (Apr. 1, 2020)

Senator Richard Blumenthal has called on video conference platform Zoom to provide clear answers about its consumer data privacy rules and safety practices. "Zoom has a troubling history of software design practices and security lapses that have posed significant risks to the privacy and safety of its users," Senator Blumenthal said. Senator Blumenthal asked for responses to six questions by April 14, 2020. Last year, EPIC filed a complaint about Zoom security practices with the Federal Trade Commission. EPIC explained that Zoom had "placed at risk the privacy and security of the users of its services." EPIC's 22-page analysis detailed how Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." The Federal Trade Commission failed to act on EPIC's 2019 Zoom complaint.

EPIC Files Complaint with FTC about Zoom + (Jul. 11, 2019)

Today EPIC filed a complaint with the FTC alleging that the videoconferencing company Zoom has committed unfair and deceptive practices in violation of the FTC Act. According to EPIC, Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks. EPIC has brought many similar consumer privacy complaints to the FTC, including the complaint that led to the FTC consent order against Facebook and the complaint that led to the FTC consent order against Google. EPIC cited the Google order, which produced a $22.5 m fine, in the complaint concerning Zoom. EPIC, In re Zoom ("Concerning Zoom's ability to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user.”)

Background

Zoom Security Vulnerabilities

EPIC stated that Zoom is one of the largest service-providers in the video conferencing industry and is used by over 30,000 companies and over 40 million people worldwide. When a Mac-user installs the Zoom client, Zoom installs a localhost web server on the device without the user's knowledge. The localhost web server allows users to join Zoom meetings without manually launching the Zoom client, but also allows others to join users to Zoom meetings without their knowledge or consent. Zoom developed this technique to bypass a security feature in Safari 12, which required users to affirmatively choose to join a Zoom meeting.

The secret localhost web server interacts with every website a Zoom user visits. If Zoom users visit a website with an iframe embed, the Zoom localhost web server will automatically launch the Zoom app--even if a user has not clicked a Zoom meeting URL. Attackers can then deliberately place iframe embeds in their websites to enable Zoom users' cameras.

EPIC explained that even once the Zoom client has been uninstalled, the Zoom localhost web server remains. Zoom's localhost web server allows Zoom to update and secretly reinstall the app after a user clicks on a meeting URL.

Remote Access to Zoom Users' Webcams Without Consent

EPIC stated that even if a Zoom user does not opt-out of video, Zoom may enable the user's webcam and subject the user to remote surveillance. By default, when a user joins a Zoom call, her camera is turned on. Users can choose to opt-out in one of two ways: (1) by clicking "Turn off my video" when joining the meeting, or (2) by manually changing their default settings by clicking "Turn off my video when joining a meeting" under the "Video" tab. If a user does not opt out of video, the meeting host can choose whether a user's camera is turned on or off.

EPIC explained that video-on default vulnerability additionally allows hackers to launch DoS attacks against Zoom users. Zoom concedes that because of the vulnerability, a hacker could target a Zoom user with an endless loop of meeting join requests.

The FTC's Authority to Pursue Unfair and Deceptive Trade Practices

Section 5 of the FTC Act (15 U.S.C. S 45) prohibits unfair and deceptive acts and practices and empowers the Commission to enforce the Act's prohibitions. A company engages in a deceptive trade practice if it makes a representation to consumers yet "lacks a 'reasonable basis' to support the claims made[.]" A trade practice is unfair if it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."

Zoom Engaged in Unfair Trade Practices

EPIC stated that Zoom's security vulnerabilities constitute an unfair business practice because they are likely to cause substantial injury to customers, which is not reasonably avoidable by customers and not outweighed by countervailing benefits to consumers or to competition. Zoom provided conferencing services to thousands of consumers, surreptitiously forcing users to download its remote web server and turning on their video in conferences as a default, rather than with user consent. Zoom's actions placed users at risk of severe privacy violations, including remote surveillance or distribution of illicit photographs or location information obtained through users' Mac cameras.

Zoom Engaged in Deceptive Trade Practices

EPIC explained that Zoom made material misrepresentations that misled reasonable consumers regarding the security of the Zoom Client application. In addition to presenting Zoom Client as secure, Zoom did not make clear to consumers that the company would install a local web server that would bypass browser security settings and allow Zoom to reinstall the software without the user's consent. These misrepresentations were both likely to mislead and actually did mislead consumers.

Legal Documents

• EPIC’s FTC Complaint In re Zoom (filed July 11, 2019)

EPIC’s Complaint in the News

• Zoom has to pay $85 million to people for privacy issues. Here's how to claim your money, CNET, August 6, 2021
• Zoom Agrees To $85 Million Settlement Over Encryption, Data Sharing And Zoombombing, Media Post , August 3, 2021
• Zoom Inks $85M Deal To End Users' 'Zoombombing' Suits, Law 360, August 2, 2021
• Pomerantz Loses Bid To Replace Robbins Geller In Zoom Suit, Law360, April 13, 2021
• FTC Finalizes Zoom Settlement, Despite Acting Chair's Dissent, Media Post , February 2, 2021

More news

FTC Stands Behind Zoom Data Security Deal Despite Backlash, Law 360, February 2, 2021

FTC Should Impose Tougher Terms On Zoom, Open Technology Institute Says, Media Post , December 24, 2020

FTC's Zoom Deal Signals New Data Security Plan Under Dems, Law360, November 25, 2020

The road to reasonable security: What CISOs should know, Privacy Perspectives, September 3, 2020

Zoom Directors Accused of Knowingly Underplaying Security Risks in Shareholder Suit, Law.com, July 31, 2020

Zeroing in on Zoom’s Threat to Financial Services, Traders Magazine , April 16, 2020

Zoom rushes to improve privacy for consumers flooding its videoconference service, Seattle Times, April 9, 2020

Zoom Rushes to Improve Privacy for Consumers Flooding Its Service, New York Times, April 9, 2020

Shareholders Sue Zoom Over Privacy, Hacking Concerns, Law360, April 9, 2020

ZOOM GETS FEDERAL GOVERNMENT’S ATTENTION AS PRIVACY CONCERNS MOUNT, Vanity Fair, April 8, 2020

Zoom: Every security issue uncovered in the video chat app, CNET, April 7, 2020

Senator calls for federal investigation into Zoom’s ‘deceptive’ practices, Daily Dot, April 7, 2020

NYC Schools Drop Zoom As Privacy, Security Scrutiny Grows, Law360, April 7, 2020

Gov Scrutiny of Zoom, POLITICO Morning Cybersecurity, April 6, 2020

Zoom got popular during coronavirus. Now it’s facing scrutiny from advocacy groups, Daily Dot, April 6, 2020

FTC Urged To Investigate Zoom Over Privacy, MediaPost, April 6, 2020

Zoom got popular during coronavirus. Now it’s facing scrutiny from advocacy groups, Daily Dot, April 6, 2020

Zoom looks to reframe its narrative in the Beltway, POLITICO Morning Tech, April 6, 2020

‘Explosion’ in Distance-Learning Tech Use Sparks Privacy Worries, Bloomberg, April 6, 2020

Everybody seems to be using Zoom. But its security flaws could leave users at risk., Washington Post, April 3, 2020

Zoom security flaws could leave people at risk, say experts, IOL, April 3, 2020

Why Most Should Avoid The ‘Out Of Control’ Zoom Right Now, Forbes, April 2, 2020

Zoom è sotto inchiesta negli Usa per problemi di privacy, AGI, April 1, 2020

US authorities scrutinise Zoom’s practices as app sees traffic surge, Irish Times, March 30, 2020

Zoom privacy practices under scrutiny by N.Y. attorney general, Seattle Times, March 30, 2020

New York Attorney General Looks Into Zoom’s Privacy Practices, New York Times, March 30, 2020

The surveillance profiteers of COVID-19 are here, Engadget, March 27, 2020

Massive Shift to Remote Learning Prompts Big Data Privacy Concerns, Edweek.org, March 26, 2020

Zoom is watching you. Here’s what you can do about it, Decrypt, March 23, 2020

Using Zoom? Here are the privacy issues you need to be aware of, Security Boulevard, March 20, 2020

As schooling rapidly moves online across the country, concerns rise about student data privacy, Washington Post, March 20, 2020

Video Calling Prompts Privacy Concerns as Pandemic Drives Work, Education Online, Morning Consult, March 17, 2020

Working From Home? Zoom Tells Your Boss If You're Not Paying Attention, Vice, March 16, 2020

Student privacy laws still apply if coronavirus just closed your school, Ars Technica, March 12, 2020

From Your Mouth to Your Screen, Transcribing Takes the Next Step, New York Times, October 2, 2019

The New Ways Your Boss Is Spying on You, Wall Street Journal, July 19, 2019

EPIC asks FTC To Investigate Zoom, Decipher, July 15, 2019

Zoom in closer, POLITICO Morning Tech, July 12, 2019