By Allison Grande

Law360 (November 9, 2020, 5:20 PM EST) -- Zoom agreed Monday to boost its data security practices to resolve Federal Trade Commission claims that it deceived users about its encryption and secretly installed software that circumvented a browser security safeguard, as the agency's two Democratic commissioners blasted the deal for not going far enough.

The settlement, which the commission voted 3-2 along party lines to accept, concludes a more than yearlong FTC investigation into allegations that Zoom Video Communications Inc. engaged in a series of deceptive and unfair practices that both undermined security and promoted a false sense of safety among its users. That population has skyrocketed due to the COVID-19 pandemic, from 10 million daily users in December 2019 to 300 million in April, according to the FTC.

While the commission lacks the power to impose monetary penalties for alleged first-time violations of the FTC Act, the settlement contains a range of injunctive relief, including requiring the company to annually assess and document any potential security risks and develop ways to protect against these vulnerabilities; to refrain from making misrepresentations about how it collects, uses or discloses personal information or the security features it offers; and to obtain biennial assessments of its security program by an independent third party for the next 20 years.

"This will all help to make sure that privacy and data security are among the highest priorities for Zoom's management," FTC Bureau of Consumer Protection Director Andrew Smith told reporters during a conference call Monday.

He added that the enforcement action "has implications beyond Zoom" and should send the message to "all companies that they need to live up to their privacy and security promises and respect security protections built into operating systems and browsers."

In a statement Monday, Zoom noted that it had "already addressed the issues" raised by the FTC through the flurry of changes it has made in recent months to boost privacy and security as criticism has mounted over the way the service protects conversations from "Zoombombing" and other unwanted intrusions as well as how it shares data with third parties such as Facebook. The company stressed that it was "proud of" these advancements and that the latest deal with the FTC was consistent with its "commitment to innovating and enhancing our product as we deliver a secure video communications experience."

"The security of our users is a top priority for Zoom," the company added. "We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs."

The FTC's two Democrats, Commissioners Rohit Chopra and Rebecca Kelly Slaughter, slammed the agreement in separate dissenting statements.

"Zoom's alleged security failures warrant serious action," Chopra wrote. "But the FTC's proposed settlement includes no help for affected parties, no money, and no other meaningful accountability."

Chopra asserted that, judging by Zoom's decision to refrain from disclosing the FTC's inquiry to its investors, the company appeared to think that the commission's probe "wasn't that serious."

"The company seemed to guess that the FTC wouldn't do anything to materially impact their business," Chopra said. "Sadly, for the public, they guessed right."

Chopra, who claimed that the commission hadn't achieved any notable relief beyond what New York's attorney general was already able to secure in a similar deal with Zoom this year, asserted that this outcome was a result of the FTC's "status quo approach to privacy, security and other data protection law violations," which he deemed "ineffective." He argued that it was time for the commission to "change course," recommending that to "restore credibility," the FTC must take steps such as crafting settlement terms that would more directly benefit consumers, broaden investigations to look into other violations that might trigger monetary penalties, and "demonstrate greater willingness" to take matters to court rather than settle. 

"When it comes to data protection, FTC commissioners have rarely voted to authorize agency staff to sue national players for misconduct," Chopra wrote. "We must do more to safeguard against any perception about the agency's unwillingness to litigate."

In her dissenting statement, Slaughter took issue with the settlement's failure to impose any requirements directly protecting users' privacy, and not just their security, while using the service.

"Some might argue that sound data security practices should naturally guarantee consumer privacy," Slaughter said. "I disagree. Strong security is necessary for consumer privacy, but it does not guarantee its achievement."

FTC Chairman Joe Simons and Commissioners Noah Joshua Phillips and Christine S. Wilson, all Republicans, defended the deal in a majority statement issued alongside the dissents Monday, saying that the deal provided "immediate and important relief to consumers" while ensuring that Zoom would "prioritize consumers' privacy and security" moving forward.

"Our dissenting colleagues suggest additional areas for relief that likely would require protracted litigation to obtain," they wrote. "Given the effective relief this settlement provides, we see no need for that."

Smith also addressed these criticisms in Monday's call with reporters, arguing that part of the strength of the Zoom deal was its ability to deliver relief quickly to the hundreds of millions of people who now use Zoom on a daily basis.

"Here we are providing strong injunctive relief in a timely way, while we can still use it," Smith said. "Had we litigated this case, we might have gotten more or different relief, but I bet we'd be having this conversation in 2022 rather than today."

According to the FTC, Zoom has misled users since at least 2016 by claiming it offered "end-to-end, 256-bit encryption" that secures communications so that only the sender and recipients can access the content, when it was actually deploying less secure 128-bit encryption to protect conversations, including sensitive discussions about health and financial issues.

Zoom also falsely claimed that recorded meetings that users wanted to store on the company's cloud storage were immediately encrypted after the meeting ended, even though some recordings were stored unencrypted for up to 60 days on Zoom's servers before being transferred to secure cloud storage, the FTC alleged.

Additionally, the FTC claimed that Zoom compromised users' security when it secretly installed software, called ZoomOpener web server, as part of a manual update for its Mac desktop application in July 2018 without implementing any offsetting measures to protect users' security.

The software, which allowed Zoom to automatically launch and join a user to a meeting and stayed on users' computers even after they deleted the Zoom app, worked by bypassing an Apple Safari browser safeguard that protected users from a common type of malware, thereby increasing users' risk of remote video surveillance by strangers, according to the FTC.

Apple removed the ZoomOpener web server from users' computers through an automatic update in July 2019, the FTC added.

Zoom was represented before the FTC by Travis LeBlanc of Cooley LLP.

The FTC was represented by Bureau of Consumer Protection attorneys Linda Holleran Kopp, Ryan Mehm and Caroline Schmitz.

The case is In the Matter of Zoom Communications Inc., file number 192-3167, before the Federal Trade Commission.

--Editing by Orlando Lorenzo.

For a reprint of this article, please contact reprints@law360.com.