FTC Settlement with Zoom

The FTC again splits on a data security and privacy action. The popular online video call platform needs to revamp its data security practices or face considerable future liability.

The Federal Trade Commission (FTC) split along party lines to approve a settlement with Zoom to resolve allegations that the video messaging platform violated the FTC Act’s ban on unfair and deceptive practices in commerce. Zoom agreed to a consent order mandating a new information security program, third party assessment, prompt reporting of covered incidents and other requirements over a period of 20 years. The two Democratic Commissioners voted against the settlement and dissented because they argued it did not punish the abundant wrongdoing and will not dissuade future offenders.

In the complaint, the FTC asserted there is evidence proving that Zoom lied about its claims that its used end-to-end encryption (it didn’t), used AES 256-bit encryption (it used 128-bit encryption, which is much easier to hack), and stored recorded encrypted on its servers (it didn’t until 60 days after recording when they were moved to the cloud and encrypted). The FTC labeled each of these deceptive practices that violated Section 5 of the FTC Act and provided extensive evidence that Zoom committed all these offenses. But, the worst violation may have been Zoom’s decision to circumvent Apple’s security feature on its browser Safari in the interest of allowing people one click to join a call. Apple had installed a feature on Safari and other of its applications that notify users when a clicked link (like one to a Zoom call) is going to take the person to a website or launch a non-Apple app. This feature was designed to address attacks via malware that launches automatically upon clicking a link or attackers seeking to penetrate a computer the same way. Apparently, Zoom did not like this, so the company essentially designed malware that defeated this feature of Safari and placed on the computers of Mac users without notice or consent. The FTC called this a fraudulent act in violation of Section 5.

The FTC also found systemic data security vulnerabilities in the company’s internal network that would have allowed malicious actors untrammeled access to sensitive user information. Moreover, contractors and service providers with access to Zoom’s networks were not subject to oversight. Also, software patches were not applied in a timely fashion, making it all the more likely that malicious parties could penetrate the company’s networks.

The FTC drafted a consent order Zoom signed without admitting any guilt that will require the company to honestly represent its security practices, the implementation of effective information security practices, periodic third party assessments, submit an annual certification that the company is complying, send compliance reports to the agency, and alert the FTC if there is a breach of Zoom’s security such that affects more than 500 users and triggers reporting requirements to a federal or state agency. As mentioned, this consent order is to last for 20 years, and in the event of any violations, the FTC can go to court and seek monetary damages for Zoom being in contempt of the order. This is the usual means the FTC can obtain civil fines, and the method by which the FTC reached a $5 billion settlement. All in all, this consent order is par for the course for the FTC.

Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissented for a variety of reasons that may be summed up: the FTC let Zoom off with a slap on the wrist.

In his dissent, Chopra accused the majority of not using the full extent of its powers to help the people and businesses that had been harmed by Zoom’s actions and not setting an example to deter both future bad acts by others and by Zoom itself. Chopra characterized the Zoom settlement as being the latest in a long string of ineffectual consent orders that will fail to change the behavior of companies in the digital markets. Chopra called on the agency to use rarely utilized powers, notably through a rulemaking spelling out the practices the FTC will find deceptive and unfair, which would allow the agency to pursue civil fines in the first instance and also put companies on notice about what is allowed and what is not. Chopra also called for structural changes at the agency to increase its effectiveness. Kelly Slaughter focused on the majority’s choice to ignore the privacy implications of Zoom’s misdeeds, especially by not including any requirements that Zoom improve its faulty privacy practices.

To no great surprise, the majority disagreed with Chopra and Kelly Slaughter, trumpeting the settlement as “ensur[ing] that Zoom will prioritize consumers’ privacy and security.” The majority also asserted:

Our dissenting colleagues suggest additional areas for relief that likely would require protracted litigation to obtain. Given the effective relief this settlement provides, we see no need for that….We feel it is important to put in place measures to protect those users’ privacy and security now, rather than expend scarce staff resources on speculative, potential relief that a Court would not likely grant, given the facts here.

Incidentally, the majority’s primary rationale for not seeking more comprehensive punishment of Zoom and relief and redress for businesses and consumers lays bare the reason why any federal privacy regime may prove to be a toothless tiger. The majority reasoned that the FTC did the best it could because going to court would entail the risk Zoom would prevail given its resources, and even if the agency won, it would still burn through precious agency resources. As I’ve made this point before, if people are not given the right to vindicate their rights in court, absent a major infusion of money and authority into the FTC, a federal privacy law will fail to achieve the goal of increasing privacy in the digital world. And, this failure will occur because of the incentives. If a multi-billion corporation like Zoom gives the FTC night sweats about pursuing what appears to be an open and shut case given the egregious violations of the FTC Act, then the biggest players in the market will continue doing what they are currently doing with some changes in order to at least nod to a new law. However, the FTC will lack the means and the will to punish enough violators to change their behavior, the ultimate goal of any statutory scheme.

As it happened, the FTC also announced its consent order against Sunday Riley and its namesake CEO for posting fake reviews of its cosmetic products on the website of retailer Sephora. Sunday Riley executives and employees created fake accounts to post fake reviews, and then used a VPN once the reviews were taken down. CEO Sunday Riley also directed employees to create three different fake accounts for this purpose. The consent order bars Sunday Riley and the named parties from making any misrepresentations about the company’s products and forbids them from failing to disclose material connections in advertising and related practices. This case does not pertain to data security and privacy, but Chopra and Kelly Slaughter dissented, voted against the consent order, and asserted, much as they did in the Zoom case:

  • The FTC is doubling down on its no-money, no-fault settlement with Sunday Riley, who was charged with egregious fake review fraud. This weak settlement is a serious setback for the Commission’s credibility as a watchdog over digital markets.
  • To defend this settlement, the Commissioners supporting this outcome claim they had no basis to seek more than $0. Their analytical approach favors the fraudster, and it will undermine our mission in future cases.
  • The Commission can end its no-consequences settlement policy by publishing a Policy Statement on Equitable Monetary Remedies, restating legal precedent into formal rules, and designating specific misconduct as penalty offenses through an unused FTC Act authority.

FTC Chair Joseph Simons and Commissioners Noah Joshua Phillips and Christine S. Wilson made the case in their statement:

  • Every case presents unique circumstances, and there are many factors that must be considered in determining what constitutes an appropriate settlement. The primary factor is the law. For example, to obtain monetary relief, the Commission must have a viable legal basis to demonstrate consumer injury or ill-gotten gains from the alleged violations. In some cases, such as frauds where the consumer receives no value, this calculation may be obvious. In others, including Sunday Riley, a legally defensible calculation of ill-gotten gains may be difficult. In such cases, the expenditure of resources needed to develop an adequate evidentiary basis reasonably to approximate ill-gotten gains may substantially outweigh any benefits to consumers and the market. We believe the Commission’s order strikes the right balance.
  • The relief obtained in this case is consequential and will provide both specific and general deterrence. The administrative order binds Sunday Riley and its CEO.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Anna Shvets from Pexels

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s