TALKING ABOUT ENCRYPTION: Tips in Response to the Zoom FTC Complaint
On November 9, 2020, the Federal Trade Commission (FTC) announced a settlement with Zoom regarding its statements about end-to-end encryption, security, and the circumvention of a privacy and security safeguard. Zoom agreed to a consent order to settle the case without admitting or denying the allegations and did not pay a fine; but Zoom still faces ongoing lawsuits from investors and consumers.
While the FTC has focused on protecting consumer users from the alleged encryption misrepresentation, our firm has put together some important takeaways for enterprise-focused technology companies with public sector customers regarding how to address encryption and other information security practices.
Deceptive Encryption Claims
Zoom touted their focus on strong encryption and a fully encrypted platform, but the FTC alleged that Zoom’s public statements misled in three ways: 1) Zoom’s use of the term “end to end encryption”; 2) the strength of its encryption; and 3) when Zoom encrypted the recordings being stored.
End-to-end Encryption (E2EE)
Zoom publicly asserted that the platform secured all meetings with E2EE since 2016. The FTC alleged Zoom’s implementation and representation of E2EE conflicted with the commonly understood definition of E2EE. Many consumers apparently interpreted E2EE as encryption between participants where no other entity has the ability to access the contents of a meeting other than the participants — and therefore felt misled.
In contrast, Zoom intended E2EE to mean that it encrypted the video, audio, screen sharing, and chat between the users and Zoom’s servers (encryption during transit), but only if each of the meeting attendees was using the Zoom client or app. As a result, if one attendee was not using a Zoom app, then the meeting would not be fully encrypted between the participants. Furthermore, Zoom — rather than the participants — held the cryptographic keys at the server level that could allow them access to customer content. Zoom tacitly acknowledged this misrepresentation, clarified how its version of E2EE did not match the commonly understood definition of E2EE, agreed that it would enable storage of cryptographic keys on the user’s devices rather than the Zoom servers, and planned further E2EE changes.
In addition to statements about the scope of encryption, Zoom allegedly misled the public about the strength of that encryption. Zoom had claimed that its customers’ content was encrypted using 256-bit encryption as a default. The reality was that Zoom did not actually use 256-bit encryption but rather 128-bit encryption.
The third encryption-related allegation stemmed from Zoom’s claim that customers could store recordings of their meetings on Zoom’s encrypted cloud and that those recordings would be processed and stored “after the meeting has ended.” The FTC claimed this statement was misleading in light of Zoom’s actual practice of keeping the recordings on an unencrypted server for up to 60 days before transferring the recording to encrypted storage.
Tips on talking about encryption for companies with public sector customers
With taxpayer dollars and national security at stake, communicating with public sector customers about how a product encrypts customer data should not be taken lightly. Careless communication about encryption or other security measures could lead to a number of legal and business ramifications in the world of government contracting.
1) Don’t make claims you can’t back up. Remember that government entities require truthful statements and can hold the company (and individual) civilly and criminally accountable for even inadvertent misrepresentations.
2) Stay aware about the ordinary understanding of the technology and don’t get cute about your implementation of the technology. Even if you don’t agree with the publicly held understanding, if your description is not generally consistent with the ordinary understanding of the term, you will find yourself in hot water.
3) Be exceptionally precise in describing how your product or company uses encryption or other data protection measures. For summaries, email messages, social media postings, or verbal conversation, consider cross-referencing a more detailed written description. Conduct periodic reviews of those written descriptions.
4) Task cross-functional teams consisting of product engineers and information security professionals as well as sales, marketing, and bid and proposal teams to approve public statements about product security and data protection.
 We don’t discuss whether 256-bit encryption is actually necessary. The irony is that at this time, neither 128- nor 256-bit encryption is easily broken using brute force. Thus, Zoom meetings might have been sufficiently protected using 128-bit encryption with faster performance than touting, erroneously, that it was using 256-bit encryption.
DOWNLOAD THIS ARTICLE
This article is not legal advice but gives a general summary for educational purposes only and is not intended to be comprehensive. Seek specific legal advice before taking or refraining from taking any action. Please see our full Legal Disclaimer