BREAKING: Zoom settles with FTC, gets consent order prohibiting misrepresentations, agreeing to mandated information security program, 3rd party audits... Quick THREAD https://www.ftc.gov/system/files/documents/cases/1923167zoomacco2.pdf

2. Earlier this year researchers found serious problems with Zoom security & encryption. Including my colleague @billmarczak et al. at @citizenlab https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

3. Most troubling: @zoom_us had been telling customers their calls were protected with end-to-end encryption... the
@FTC took a look concluded...nope. Zoom was keeping the keys to encrypted calls.

4. @zoom_us was also telling users that recorded calls were immediately encrypted. Again, not true, @ftc says. Some were kept unencrypted for up to 2 months.

4. According to the @ftc @zoom_us also *secretly* installed a "ZoomOpener" app on @Apple Mac users' devices. The app bypassed security and would do other shady things, like secretly reinstalling zoom in some cases after users uninstalled it.

5. The @FTC order touches a host of areas.
(i) @zoom_us is forbidden from making a host of misrepresentations around security & privacy.

6. Next (ii) the @ftc order mandates an #infosec program, along with a host of additional protections, reporting requirements, vulnerability management etc.

Implication: order would not be this detailed if the issues found at @zoom_us were not so problematic.

7. The @ftc also (iii) requires that @zoom_us get itself assessed by a 3rd party to determine compliance with the order and progress, and keep doing so every 6mo.