In re Zoom
Concerning Zoom's ability to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user.
In July 2019, EPIC filed a complaint with the FTC alleging that Zoom had committed "unfair and deceptive practices" in violation of the FTC Act. According to EPIC, Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks.
EPIC has brought many similar consumer privacy complaints to the FTC, including the complaint that led to the FTC consent order against Facebook and the complaint that led to the FTC consent order against Google, which later produced a $22.5 m fine.
However, the FTC failed to act on EPIC's 2019 complaint against Zoom.
- EPIC, Coalition Urge FTC to Address Privacy in Zoom Settlement: EPIC, the Center for Digital Democracy, the Campaign for a Commercial-Free Childhood, the Parent Coalition for Student Privacy, and Consumer Federation of America today sent comments to the FTC urging the agency to address privacy in its proposed Consent Order with Zoom. The groups recommended that the FTC modify the Order to require Zoom to (1) implement a comprehensive privacy program; (2) obtain regular independent privacy assessments and make those assessments available to the public; (3) provide meaningful redress for victims of Zoom’s unfair and deceptive trade practices; and (4) ensure the adequate protection and limits on the collection of children’s data. In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April 2020, EPIC wrote to Chairman Simons urging the FTC to open an investigation. EPIC has long advocated for the creation of a U.S. data protection agency. (Dec. 14, 2020)
- FTC Fails to Address Privacy in Settlement with Zoom: The FTC has reached a settlement with Zoom requiring the company to address data security but fails to address user privacy. Writing in dissent, Commissioner Slaughter said, "When companies offer services with serious security and privacy implications for their users, the Commission must make sure that its orders address not only security but also privacy." Commissioner Chopra, also dissenting, wrote "The FTC’s status quo approach to privacy, security, and other data protection law violations is ineffective." In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April 2020, EPIC wrote to Chairman Simons urging the FTC to open an investigation. EPIC has long advocated for the creation of a U.S. data protection agency. (Nov. 9, 2020)
- Zoom, Twitter Failures Highlight Discriminatory Impact of Facial Recognition + (Sep. 30, 2020)
- In Reversal, Zoom Will Make Enhanced Encryption Available to All Users + (Jun. 18, 2020)
- Zoom's Additional Encryption Measures Will Only Protect Paying Users + (Jun. 5, 2020)
- New York AG Reaches Agreement with Zoom over Privacy Violations + (May. 8, 2020)
- EPIC Seeks Records About FTC's Investigation of Zoom + (Apr. 16, 2020)
- EPIC Urges FTC to Investigate Zoom, Issue Best Practices for Online Conferencing + (Apr. 5, 2020)
- State Attorneys General Investigate Zoom + (Apr. 3, 2020)
- Senator Blumenthal Calls on Zoom to Address Privacy Issues + (Apr. 1, 2020)
- EPIC Files Complaint with FTC about Zoom + (Jul. 11, 2019)
More top news
Zoom Security Vulnerabilities
EPIC stated that Zoom is one of the largest service-providers in the video conferencing industry and is used by over 30,000 companies and over 40 million people worldwide. When a Mac-user installs the Zoom client, Zoom installs a localhost web server on the device without the user's knowledge. The localhost web server allows users to join Zoom meetings without manually launching the Zoom client, but also allows others to join users to Zoom meetings without their knowledge or consent. Zoom developed this technique to bypass a security feature in Safari 12, which required users to affirmatively choose to join a Zoom meeting.
The secret localhost web server interacts with every website a Zoom user visits. If Zoom users visit a website with an iframe embed, the Zoom localhost web server will automatically launch the Zoom app--even if a user has not clicked a Zoom meeting URL. Attackers can then deliberately place iframe embeds in their websites to enable Zoom users' cameras.
EPIC explained that even once the Zoom client has been uninstalled, the Zoom localhost web server remains. Zoom's localhost web server allows Zoom to update and secretly reinstall the app after a user clicks on a meeting URL.
Remote Access to Zoom Users' Webcams Without Consent
EPIC stated that even if a Zoom user does not opt-out of video, Zoom may enable the user's webcam and subject the user to remote surveillance. By default, when a user joins a Zoom call, her camera is turned on. Users can choose to opt-out in one of two ways: (1) by clicking "Turn off my video" when joining the meeting, or (2) by manually changing their default settings by clicking "Turn off my video when joining a meeting" under the "Video" tab. If a user does not opt out of video, the meeting host can choose whether a user's camera is turned on or off.
EPIC explained that video-on default vulnerability additionally allows hackers to launch DoS attacks against Zoom users. Zoom concedes that because of the vulnerability, a hacker could target a Zoom user with an endless loop of meeting join requests.
The FTC's Authority to Pursue Unfair and Deceptive Trade Practices
Section 5 of the FTC Act (15 U.S.C. S 45) prohibits unfair and deceptive acts and practices and empowers the Commission to enforce the Act's prohibitions. A company engages in a deceptive trade practice if it makes a representation to consumers yet "lacks a 'reasonable basis' to support the claims made[.]" A trade practice is unfair if it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."
Zoom Engaged in Unfair Trade Practices
EPIC stated that Zoom's security vulnerabilities constitute an unfair business practice because they are likely to cause substantial injury to customers, which is not reasonably avoidable by customers and not outweighed by countervailing benefits to consumers or to competition. Zoom provided conferencing services to thousands of consumers, surreptitiously forcing users to download its remote web server and turning on their video in conferences as a default, rather than with user consent. Zoom's actions placed users at risk of severe privacy violations, including remote surveillance or distribution of illicit photographs or location information obtained through users' Mac cameras.
Zoom Engaged in Deceptive Trade Practices
EPIC explained that Zoom made material misrepresentations that misled reasonable consumers regarding the security of the Zoom Client application. In addition to presenting Zoom Client as secure, Zoom did not make clear to consumers that the company would install a local web server that would bypass browser security settings and allow Zoom to reinstall the software without the user's consent. These misrepresentations were both likely to mislead and actually did mislead consumers.
- EPIC’s FTC Complaint In re Zoom (filed July 11, 2019)
EPIC’s Complaint in the News
- FTC Stands Behind Zoom Data Security Deal Despite Backlash, Law 360, February 2, 2021
- FTC Finalizes Zoom Settlement, Despite Acting Chair's Dissent, Media Post , February 2, 2021
- FTC Should Impose Tougher Terms On Zoom, Open Technology Institute Says, Media Post , December 24, 2020
- FTC's Zoom Deal Signals New Data Security Plan Under Dems, Law360, November 25, 2020
- The road to reasonable security: What CISOs should know, Privacy Perspectives, September 3, 2020
- Zoom Directors Accused of Knowingly Underplaying Security Risks in Shareholder Suit, Law.com, July 31, 2020
- Zeroing in on Zoom’s Threat to Financial Services, Traders Magazine , April 16, 2020
- Shareholders Sue Zoom Over Privacy, Hacking Concerns, Law360, April 9, 2020
- Zoom Rushes to Improve Privacy for Consumers Flooding Its Service, New York Times, April 9, 2020
- Zoom rushes to improve privacy for consumers flooding its videoconference service, Seattle Times, April 9, 2020
- ZOOM GETS FEDERAL GOVERNMENT’S ATTENTION AS PRIVACY CONCERNS MOUNT, Vanity Fair, April 8, 2020
- NYC Schools Drop Zoom As Privacy, Security Scrutiny Grows, Law360, April 7, 2020
- Senator calls for federal investigation into Zoom’s ‘deceptive’ practices, Daily Dot, April 7, 2020
- Zoom: Every security issue uncovered in the video chat app, CNET, April 7, 2020
- ‘Explosion’ in Distance-Learning Tech Use Sparks Privacy Worries, Bloomberg, April 6, 2020
- Zoom looks to reframe its narrative in the Beltway, POLITICO Morning Tech, April 6, 2020
- Gov Scrutiny of Zoom, POLITICO Morning Cybersecurity, April 6, 2020
- Zoom got popular during coronavirus. Now it’s facing scrutiny from advocacy groups, Daily Dot, April 6, 2020
- FTC Urged To Investigate Zoom Over Privacy, MediaPost, April 6, 2020
- Zoom got popular during coronavirus. Now it’s facing scrutiny from advocacy groups, Daily Dot, April 6, 2020
- Everybody seems to be using Zoom. But its security flaws could leave users at risk., Washington Post, April 3, 2020
- Zoom security flaws could leave people at risk, say experts, IOL, April 3, 2020
- Why Most Should Avoid The ‘Out Of Control’ Zoom Right Now, Forbes, April 2, 2020
- Zoom è sotto inchiesta negli Usa per problemi di privacy, AGI, April 1, 2020
- New York Attorney General Looks Into Zoom’s Privacy Practices, New York Times, March 30, 2020
- Zoom privacy practices under scrutiny by N.Y. attorney general, Seattle Times, March 30, 2020
- US authorities scrutinise Zoom’s practices as app sees traffic surge, Irish Times, March 30, 2020
- The surveillance profiteers of COVID-19 are here, Engadget, March 27, 2020
- Massive Shift to Remote Learning Prompts Big Data Privacy Concerns, Edweek.org, March 26, 2020
- Zoom is watching you. Here’s what you can do about it, Decrypt, March 23, 2020
- As schooling rapidly moves online across the country, concerns rise about student data privacy, Washington Post, March 20, 2020
- Using Zoom? Here are the privacy issues you need to be aware of, Security Boulevard, March 20, 2020
- Video Calling Prompts Privacy Concerns as Pandemic Drives Work, Education Online, Morning Consult, March 17, 2020
- Working From Home? Zoom Tells Your Boss If You're Not Paying Attention, Vice, March 16, 2020
- Student privacy laws still apply if coronavirus just closed your school, Ars Technica, March 12, 2020
- From Your Mouth to Your Screen, Transcribing Takes the Next Step, New York Times, October 2, 2019
- The New Ways Your Boss Is Spying on You, Wall Street Journal, July 19, 2019
- EPIC asks FTC To Investigate Zoom, Decipher, July 15, 2019
- Zoom in closer, POLITICO Morning Tech, July 12, 2019
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.