Zoom was dealt a severe blow by the U.S. government yesterday (November 9). The company said it must institute new proceedings to settle Federal Trade Commission allegations that the video conferencing platform lied about its security and installed software on customers' Macs without their permission.

Zoom "engaged in a series of deceptive and unfair practices that undermined user security," the FTC's official declaration said; Zoom deceived users by advertising that it offered "end-to-end 256-bit encryption" to protect user communications.

Zoom is required to review its security annually, have an external agency review it every other year, create a vulnerability management program, demonstrate that it is properly deleting old customer data, and add multi-factor authentication as an option for customers.

"Zoom is also prohibited from making false representations about its privacy and security practices," the FTC said.

Customers will not immediately know anything has changed about Zoom; some of the FTC's mandates, including Zoom's two-factor authentication (2FA), are already in place, and most of the other mandated changes are going on behind the scenes.

The allegations are serious and hardly controversial. Zoom boasted that it was using "end-to-end encryption," when in fact it was not.

In 2018, Zoom secretly installed a web server on Macs that spied on users on its website and reinstalled Zoom meeting software even after users removed the program. It also told customers that recorded meetings stored on Zoom's servers would be immediately encrypted, which was not always true.

"In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom's video conferencing services," the FTC press release stated. In fact, Zoom maintained encryption keys that allowed it to access the content of its customers' meetings."

But Zoom never paid the fine, angering two Democrats on the FTC's five-member panel; all of the FTC's complaints were filed before the pandemic began. [Commissioner Rebecca Kelly Slaughter said, "Years before the global pandemic, the company made decisions that threatened the security and privacy of its longtime core business customers. But the Commission's proposed settlement provides no remedy for these paying customers."

"Zoom's approach to user privacy was essentially passive rather than proactive," she added. The settlement does not impose any requirements that directly protect user privacy. Customers care about the security measures of products like Zoom because they care about their privacy."

The proposed settlement "contains no support for affected parties, no money, and no other meaningful accountability," Commissioner Rohit Chopra stated in her dissent. It "does nothing to help the small businesses that relied on Zoom's claims about data protection. And we do not ask Zoom to pay a penny."

"The allegations in the FTC's complaint call into question whether Zoom's success, and the tens of billions of dollars of wealth it has brought to its shareholders and management in a short time, was brought about by fair play," Chopra added.

"We should all question whether Zoom and other high-tech companies have expanded their empires through deception."

Since the pandemic hit the U.S. in March and Zoom's users (and stock price) skyrocketed, the company has hired a number of high-profile security officers, fixed end-to-end encryption issues, and added 2FA as an option.

The FTC's job is to ensure that companies do not lie or overstate in their marketing, statements, and practices. There is no power to make companies do more than what they already claim they can do.