In re Zoom

Concerning Zoom's ability to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user.

In July 2019, EPIC filed a complaint with the FTC alleging that Zoom had committed "unfair and deceptive practices" in violation of the FTC Act. According to EPIC, Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks.

EPIC has brought many similar consumer privacy complaints to the FTC, including the complaint that led to the FTC consent order against Facebook and the complaint that led to the FTC consent order against Google, which later produced a $22.5 m fine.

However, the FTC failed to act on EPIC's 2019 complaint against Zoom.

Top News

  • EPIC Seeks Records About FTC's Investigation of Zoom: EPIC has filed an urgent Freedom of Information Act request with the FTC seeking records about the status of the Zoom investigation. This week, FTC Commissioner Noah Phillips declined to say whether the agency is investigating Zoom. The Commissioner's statement follows widespread reporting on privacy and security problems with the video conferencing service. In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." Last week urged the FTC to open an investigation. In a recent letter to FTC Chairman Simons, Senator Sherrod Brown stated, "I believe that the company is engaging in deceptive practices by inaccurately advertising end-to-end encryption of its virtual meetings and putting consumers' information and privacy at risk." (Apr. 16, 2020)
  • EPIC Urges FTC to Investigate Zoom, Issue Best Practices for Online Conferencing: In a letter to FTC Chairman Joe Simons, EPIC urged the FTC to "open an investigation of Zoom's business practices and to issue, as soon as practicable, Best Practices for Online Conferencing Services." The EPIC letter followed a 2019 complaint from EPIC warning that Zoom had "placed at risk the privacy and security of the users of its services." EPIC also explained to the FTC that Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." In the April 2020 letter to the Commission, EPIC reminded the Commission that it acted on similar complaints from EPIC concerning Facebook and Google but failed to act on the Zoom complaint. EPIC cited widespread reports of privacy and security flaws with the online conferencing service. EPIC wrote, "Now more than ever, the Federal Trade Commission has a responsibility to safeguard American consumers. We urge you to act." (Apr. 5, 2020)
  • More top news

  • State Attorneys General Investigate Zoom + (Apr. 3, 2020)
    The Attorneys General from several states including New York, Connecticut, and Florida are investigating Zoom's privacy and security practices. The New York AG stated that she was "concerned that Zoom's existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network." Last year, EPIC filed a complaint about Zoom security practices with the Federal Trade Commission. EPIC explained that Zoom had "placed at risk the privacy and security of the users of its services." EPIC's 22-page analysis detailed how Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." The Federal Trade Commission failed to act on EPIC's 2019 Zoom complaint.
  • Senator Blumenthal Calls on Zoom to Address Privacy Issues + (Apr. 1, 2020)
    Senator Richard Blumenthal has called on video conference platform Zoom to provide clear answers about its consumer data privacy rules and safety practices. "Zoom has a troubling history of software design practices and security lapses that have posed significant risks to the privacy and safety of its users," Senator Blumenthal said. Senator Blumenthal asked for responses to six questions by April 14, 2020. Last year, EPIC filed a complaint about Zoom security practices with the Federal Trade Commission. EPIC explained that Zoom had "placed at risk the privacy and security of the users of its services." EPIC's 22-page analysis detailed how Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." The Federal Trade Commission failed to act on EPIC's 2019 Zoom complaint.
  • EPIC Files Complaint with FTC about Zoom + (Jul. 11, 2019)
    Today EPIC filed a complaint with the FTC alleging that the videoconferencing company Zoom has committed unfair and deceptive practices in violation of the FTC Act. According to EPIC, Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks. EPIC has brought many similar consumer privacy complaints to the FTC, including the complaint that led to the FTC consent order against Facebook and the complaint that led to the FTC consent order against Google. EPIC cited the Google order, which produced a $22.5 m fine, in the complaint concerning Zoom. EPIC, In re Zoom ("Concerning Zoom's ability to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user.”)

Background

Zoom Security Vulnerabilities

EPIC stated that Zoom is one of the largest service-providers in the video conferencing industry and is used by over 30,000 companies and over 40 million people worldwide. When a Mac-user installs the Zoom client, Zoom installs a localhost web server on the device without the user's knowledge. The localhost web server allows users to join Zoom meetings without manually launching the Zoom client, but also allows others to join users to Zoom meetings without their knowledge or consent. Zoom developed this technique to bypass a security feature in Safari 12, which required users to affirmatively choose to join a Zoom meeting.

The secret localhost web server interacts with every website a Zoom user visits. If Zoom users visit a website with an iframe embed, the Zoom localhost web server will automatically launch the Zoom app--even if a user has not clicked a Zoom meeting URL. Attackers can then deliberately place iframe embeds in their websites to enable Zoom users' cameras.

EPIC explained that even once the Zoom client has been uninstalled, the Zoom localhost web server remains. Zoom's localhost web server allows Zoom to update and secretly reinstall the app after a user clicks on a meeting URL.

Remote Access to Zoom Users' Webcams Without Consent

EPIC stated that even if a Zoom user does not opt-out of video, Zoom may enable the user's webcam and subject the user to remote surveillance. By default, when a user joins a Zoom call, her camera is turned on. Users can choose to opt-out in one of two ways: (1) by clicking "Turn off my video" when joining the meeting, or (2) by manually changing their default settings by clicking "Turn off my video when joining a meeting" under the "Video" tab. If a user does not opt out of video, the meeting host can choose whether a user's camera is turned on or off.

EPIC explained that video-on default vulnerability additionally allows hackers to launch DoS attacks against Zoom users. Zoom concedes that because of the vulnerability, a hacker could target a Zoom user with an endless loop of meeting join requests.

The FTC's Authority to Pursue Unfair and Deceptive Trade Practices

Section 5 of the FTC Act (15 U.S.C. S 45) prohibits unfair and deceptive acts and practices and empowers the Commission to enforce the Act's prohibitions. A company engages in a deceptive trade practice if it makes a representation to consumers yet "lacks a 'reasonable basis' to support the claims made[.]" A trade practice is unfair if it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."

Zoom Engaged in Unfair Trade Practices

EPIC stated that Zoom's security vulnerabilities constitute an unfair business practice because they are likely to cause substantial injury to customers, which is not reasonably avoidable by customers and not outweighed by countervailing benefits to consumers or to competition. Zoom provided conferencing services to thousands of consumers, surreptitiously forcing users to download its remote web server and turning on their video in conferences as a default, rather than with user consent. Zoom's actions placed users at risk of severe privacy violations, including remote surveillance or distribution of illicit photographs or location information obtained through users' Mac cameras.

Zoom Engaged in Deceptive Trade Practices

EPIC explained that Zoom made material misrepresentations that misled reasonable consumers regarding the security of the Zoom Client application. In addition to presenting Zoom Client as secure, Zoom did not make clear to consumers that the company would install a local web server that would bypass browser security settings and allow Zoom to reinstall the software without the user's consent. These misrepresentations were both likely to mislead and actually did mislead consumers.

Legal Documents

  • EPIC’s FTC Complaint In re Zoom (filed July 11, 2019)

EPIC’s Complaint in the News

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
EPIC 2020 Champions of Freedom Awards June 3, 2020