By Jennifer K. Wagner J.D., Ph.D.
2020 brought an unexpected and massive surge in the use of video conferencing platforms. In the midst of a deadly pandemic and public health guidelines intended to flatten the curve through deterrence of non-essential in-person interactions, Zoom and similar video conferencing platforms have provided a way for people to stay connected and companies (including law firms) to continue to do business. Indeed, the Commonwealth Court of Pennsylvania recently noted Zoom and similar platforms do provide the type of “simultaneous contemporaneous communication” necessary for conducting a business “meeting” (M4 Holdings, LLC v. Lake Harmony Estates Property Owners’ Association, 237 A.3d 1208, 1220). The precise scale of Zoom’s growth has been disputed (due to distinctions between daily active users and daily meeting participants), but Zoom’s userbase has reportedly swelled to more than 30 times the size it was a year ago (growing from 10 million daily users in December 2019 to 300 million by April 2020). For comparison, Google Meet and Microsoft Teams apparently had >100 million and 75 million daily users, respectively during that same timeframe, and Microsoft Teams recently reported 115 million daily active users.
While Zoom has become so popular that it’s its own verb (“Do you want to Zoom?”), this rapid growth has not been without growing pains. For several months, people have been questioning whether it is safe to Zoom and drawing attention to cybersecurity and privacy issues within the platform. Reported concerns included, e.g., a security researcher’s discovery of the Zoom installer creating a local web server on users’ Macs (reported on Wired), the veracity of Zoom’s encryption claims (reported on The Intercept), troublesome Zoombombing incidents (reported, e.g., by NPR and the New York Times), and traffic being routed through China (reported by TechCrunch). In April, the U.S. Attorney for the Western District of Pennsylvania (Scott Brady) and Pennsylvania Attorney General Josh Shapiro warned about zoombombing specifically and announced that such activity would be investigated and prosecuted by the Western Pennsylvania COVID-19 Task Force. New York Attorney General Letitia James had investigated Zoom and announced an agreement in May that the company would improve its features in order to implement a comprehensive data security program, provide additional privacy controls for free accounts, and take steps to protect users from abusive conduct. Just a month ago, Zoom found itself in trouble with the Federal Trade Commission (FTC) for unfair and deceptive trade practices related to its data security and privacy practices.
What was at issue with the FTC and what does the proposed consent order require?
In the complaint, the FTC alleged five ways that Zoom violated Section 5(a) of the Federal Trade Commission Act (15 U.S.C. §§41-58, as amended):
- by claiming it provided end-to-end encryption for all meetings;
- by claiming the level of encryption was 256-bit encryption when it was only 128-bit encryption;
- by misrepresenting the encryption of recorded meetings stored on the cloud, as such recordings could remain unencrypted for up to 60 days before being moved to secure cloud storage;
- by circumventing Safari browser safeguards with ZoomOpener, its installer that created a local web server on users’ Apple devices; and
- by not disclosing the real details about the ZoomOpener to consumers (i.e., misrepresenting that software updates were bug fixes and failing to disclose to consumers the software updates were deploying the ZoomOpener, that this would circumvent the Safari browser safeguards, and that it would remain on the Mac device even if the Zoom app was uninstalled).
The FTC noted on its website that Zoom had already “discontinued most of the practices challenged in the complaint…” This is perhaps not a surprise given the company’s earlier agreement with the New York Attorney General, which obligated Zoom to take many of the same measures to enhance privacy and security of the platform.
The proposed consent agreement would require Zoom to stop misrepresenting its platform and the platform’s security and privacy features (including how it collects, uses, deletes, or shares user information). It requires Zoom to establish, implement, and maintain a “robust” and “comprehensive information security program.” As part of that program, Zoom would need to perform security reviews of its software updates before software updates are released in order to discover not only vulnerabilities but also if the update would interfere with security features of third parties. The consent agreement also requires Zoom to submit to independent security assessments every other year to identify and address internal and external security risks. The duration of the consent order is 20 years. The public has an opportunity to comment on the proposed consent agreement until December 14, 2020.
This enforcement action was a 3-2 decision by the FTC, and separate dissenting statements were issued by Commissioner Slaughter and Commissioner Chopra. A one-page majority statement was provided by FTC Chairman Simons and Commissioners Phillips and Wilson in which they emphasize the goal is to ensure “a safe and secure Zoom that can continue to provide essential services to enable Americans to conduct business, engage in learning, participate in religious services, and stay connected.” While this remark gives a nod to the diverse purposes that such a technological platform can serve, it discounts that alternatives are or should be available so that customers (individuals and businesses alike) are able to enjoy such activities without having to sacrifice their security and privacy interests.
In his dissenting statement, Commissioner Chopra provided a focused discussion on the harmful effects that deceptive practices by technology companies have on customers and business competitors. In a poignant critique about where Zoom might be had it followed the law and describing its gains as a “windfall,” Commissioner Chopra noted, “…we should all be questioning whether Zoom and other tech titans expanded their empires through deception.” He proceeded to underscore how the current approach taken by the FTC to address security and privacy violations is ineffective, pointing out that the victims of Zoom’s deception will not see any direct relief from the settlement—paying customers will not be released from contracts or receive any refunds or credits and business competitors (i.e., competing teleconference platforms) placed at unfair disadvantage by Zoom’s conduct will not be helped either. Commissioner Chopra summarized the shortcomings of the settlement as “No help…No notice…No money…No fault” and concluded the settlement would have little deterrent effect. He offered seven recommendations for the FTC to “[r]estore [c]redibility” in its enforcement activities. Among his recommendations, he encouraged the FTC to at least consider engaging in formal rulemaking (so that it could pursue monetary penalties for violations more directly than it currently is able) and engaging in more litigation (to develop legal precedent and rebuild confidence in the agency’s willingness and ability to hold wrongdoers accountable). In his recommendations, Commissioner Chopra also highlighted the importance of the FTC coordinating with other partners (including state attorneys general), noting that such cooperation could lead to “superior outcomes” and implying that coordination would make better use of scarce resources used to ensure compliance with both the FTCA and similar but distinct state laws against unfair and deceptive acts and practices.
In her dissenting statement, Commissioner Slaughter stated the FTC missed an opportunity to address privacy as well as security failures and noted the decision does not provide a real remedy to affected consumers. She discussed the intertwined relationship between security and privacy and expressed her disappointment that the settlement with Zoom did not insist on remedial measures to address privacy in addition to security failings. She also highlighted that the settlement “does a disservice” by not requiring Zoom to refund or even notify paying customers who were deceived and noted support for the recommendations put forth by Commissioner Chopra as a means to improve the FTC’s effectiveness.
What might 2021 bring?
It is unclear whether this Zoom consent agreement signals significant changes to the way in which the FTC will engage in the enforcement of privacy and security practices through Section 5 of the Federal Trade Commission Act in the upcoming year. One intriguing development worth watching is, as Daniel Solove and Woodrow Hartzog highlighted in their analysis, the new kind of unfairness injury the FTC recognized here with Zoom: circumvention (i.e., the bypass of third-party privacy and security safeguards). Circumvention as an unfairness injury could become particularly interesting in the health information technology (HIT) space as companies move forward with implementation of the ONC Cures Act Final Rule, a rule intended to stop information blocking and promote individual access to health information while continuing to protect privacy and security of patient information.
Additionally, federal policymakers are increasingly interested in providing the FTC with the tools it needs to ensure cybersecurity and data privacy for consumers and hold businesses accountable when basic, reasonable security and data privacy measures are not taken. In the past year, several bills have been introduced. Three bills prompted by the pandemic (previously discussed on this blog here and here) were S. 3663 COVID-19 Consumer Data Protections Act of 2020; S. 3749/H.R. 6866 Public Health Emergency Privacy Act of 2020; and S. 3861 Exposure Notification Privacy Act. More comprehensive, general data protection bills were S. 2968 Consumer Online Privacy Act (COPRA), S. 3456 Consumer Data Privacy and Security Act of 2020, and S.4626 Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act). While these bills have not made it anywhere close to a vote of the 116th Congress, they do all have a common feature in that they would entrust enforcement of data privacy and security measures to the FTC and the state/territorial Attorneys General. The impasse continues to focus on three features: (1) definitional details; (2) whether there should be federal preemption of state laws and (2) whether individuals should have a private right of action. It seems likely that the 117th Congress will feature fresh efforts to advance privacy law reforms, strengthening both cybersecurity and data privacy authority of the FTC and the state Attorneys General. The FTC’s settlement with Zoom and the corresponding concerns that the consent agreement does not go far enough to address privacy or provide meaningful remedies to consumers and competitors highlights the need for legislative action to ensure that the agency is (and state Attorneys General are) equipped with the tools they need to be effective.
Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also conducts research as an Assistant Professor in the Center for Translational Bioethics & Health Care Policy at Geisinger. She is a former contributing editor of the Genomics Law Report and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Nature Communications; Nature Medicine; American Journal of Human Genetics; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer. Views expressed are her own.