Concerning Zoom’s ability to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user.
In July 2019, EPIC filed a complaint with the FTC alleging that Zoom had committed “unfair and deceptive practices” in violation of the FTC Act. According to EPIC, Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks.
EPIC has brought many similar consumer privacy complaints to the FTC, including the complaint that led to the FTC consent order against Facebook and the complaint that led to the FTC consent order against Google, which later produced a $22.5 m fine.
However, the FTC failed to act on EPIC’s 2019 complaint against Zoom.
Zoom Security Vulnerabilities
EPIC stated that Zoom is one of the largest service-providers in the video conferencing industry and is used by over 30,000 companies and over 40 million people worldwide. When a Mac-user installs the Zoom client, Zoom installs a localhost web server on the device without the user’s knowledge. The localhost web server allows users to join Zoom meetings without manually launching the Zoom client, but also allows others to join users to Zoom meetings without their knowledge or consent. Zoom developed this technique to bypass a security feature in Safari 12, which required users to affirmatively choose to join a Zoom meeting.
The secret localhost web server interacts with every website a Zoom user visits. If Zoom users visit a website with an iframe embed, the Zoom localhost web server will automatically launch the Zoom app–even if a user has not clicked a Zoom meeting URL. Attackers can then deliberately place iframe embeds in their websites to enable Zoom users’ cameras.
EPIC explained that even once the Zoom client has been uninstalled, the Zoom localhost web server remains. Zoom’s localhost web server allows Zoom to update and secretly reinstall the app after a user clicks on a meeting URL.
Remote Access to Zoom Users’ Webcams Without Consent
EPIC stated that even if a Zoom user does not opt-out of video, Zoom may enable the user’s webcam and subject the user to remote surveillance. By default, when a user joins a Zoom call, her camera is turned on. Users can choose to opt-out in one of two ways: (1) by clicking “Turn off my video” when joining the meeting, or (2) by manually changing their default settings by clicking “Turn off my video when joining a meeting” under the “Video” tab. If a user does not opt out of video, the meeting host can choose whether a user’s camera is turned on or off.
EPIC explained that video-on default vulnerability additionally allows hackers to launch DoS attacks against Zoom users. Zoom concedes that because of the vulnerability, a hacker could target a Zoom user with an endless loop of meeting join requests.
The FTC’s Authority to Pursue Unfair and Deceptive Trade Practices
Section 5 of the FTC Act (15 U.S.C. S 45) prohibits unfair and deceptive acts and practices and empowers the Commission to enforce the Act’s prohibitions. A company engages in a deceptive trade practice if it makes a representation to consumers yet “lacks a ‘reasonable basis’ to support the claims made[.]” A trade practice is unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
Zoom Engaged in Unfair Trade Practices
EPIC stated that Zoom’s security vulnerabilities constitute an unfair business practice because they are likely to cause substantial injury to customers, which is not reasonably avoidable by customers and not outweighed by countervailing benefits to consumers or to competition. Zoom provided conferencing services to thousands of consumers, surreptitiously forcing users to download its remote web server and turning on their video in conferences as a default, rather than with user consent. Zoom’s actions placed users at risk of severe privacy violations, including remote surveillance or distribution of illicit photographs or location information obtained through users’ Mac cameras.
Zoom Engaged in Deceptive Trade Practices
EPIC explained that Zoom made material misrepresentations that misled reasonable consumers regarding the security of the Zoom Client application. In addition to presenting Zoom Client as secure, Zoom did not make clear to consumers that the company would install a local web server that would bypass browser security settings and allow Zoom to reinstall the software without the user’s consent. These misrepresentations were both likely to mislead and actually did mislead consumers.
EPIC’s FTC Complaint In re Zoom (filed July 11, 2019)