Zoom Video Communications Inc. agreed to boost its security to settle claims it misled users about access to online meetings and other issues, the U.S. Federal Trade Commission said.
Since at least 2016, the videoconferencing platform, which skyrocketed in popularity this year because of coronavirus lockdowns, said it offered a higher level of encryption for its meetings than it actually did and also misled participants about the level of security for storing meeting recordings, the FTC alleged Monday in a statement.
"During the pandemic, practically everyone -- families, schools, social groups, businesses -- is using videoconferencing to communicate, making the security of these platforms more critical than ever," the director of the FTC's Bureau of Consumer Protection, Andrew Smith, said in the statement. "Zoom's security practices didn't line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected."
As part of the settlement proposal, Zoom will have to document and assess security risks every other year, develop ways to manage them, deploy more methods to protect against unauthorized access of the network and take other steps, including preventing "the use of known compromised user credentials," the FTC said.
The proposal will be opened to public comment for 30 days, after which the agency will decide whether to make it final.
Zoom said it has already put in place the security improvements required by the settlement with the commission.
"We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs," Zoom said in a statement. "We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC."
The settlement doesn't include a financial penalty against Zoom, but the officials said on a conference call that the company would be subject to civil penalties if it misrepresents its products in the future.
If the FTC had litigated claims against Zoom, "we would have gotten stronger relief, but we'd be having this conversation in 2022," Smith added.
[CORONAVIRUS: Click here for our complete coverage » arkansasonline.com/coronavirus]
The company's shares fell 17% to $413.24 in New York. Zoom had jumped more than sixfold this year through Friday's close, while its tally of daily meeting participants had surged to 300 million from 10 million.
FTC officials said the investigation of Zoom had been going for more than a year, though it was expanded in the spring when new allegations came to light.
Zoom had hoped that scrutiny over its security lapses was behind it. The company instituted a 90-day security plan on April 1, during which it froze development of other features not related to user privacy and safety. Zoom held public weekly meetings to discuss the updates of its efforts, which focused principally on developing the end-to-end encryption it had long promised. It's the highest level of data privacy available, in which no one outside the intended parties -- not even Zoom -- can decipher communications. The FTC alleged that claiming to have this form of encryption was one of Zoom's biggest deceptions. The company has also made it easier for hosts to assert control over meetings by screening, muting and kicking out uninvited guests or disruptors.
The vote was 3-2 to propose the agreement, with the commission's three Republicans voting for the settlement and the two Democratic commissioners, Rohit Chopra and Rebecca Kelly Slaughter, against, because it doesn't require refunds or other redress for affected customers.
Information for this article was contributed by Ben Brody and Nico Grant of Bloomberg News and by Marcy Gordon of The Associated Press.