FTC的Zoom Deal表示对安全执法的承诺

美国联邦贸易委员会正在完善一项决议，以加强其对电子商务交易中出现的安全缺陷的执法力度。该机构最近的行动涉及电话会议提供商Zoom Video Communications不当活动的指控，这是一个著名的例子。 在与Zoom达成和解后，FTC对与Zoom的服务相关的安全和隐私问题对公司提出了明确的特定要求。评论期于12月中旬到期后，2020年11月13日的和解协议正式生效。 美国联邦贸易委员会表示，与Zoom达成的协议要求该公司“实施强有力的信息安全计划，以解决有关视频会议提供商进行一系列欺骗性和不公平做法的指控，这些做法破坏了其用户的安全。” Zoom接受或接受委员会的指控后，既没有承认也没有否认委员会的指控。 广泛的电子商务涟漪效应 在电子商务世界中，重要的是，委员会在Zoom案中的行动所反映的不仅仅是内部政策，其目的是加强对电子商务问题的执行。根据Cleary Gottlieb的案例分析，FTC的行动还反映了联邦法院的裁决，该裁决导致委员会采取了更强有力和更有针对性的执法行动，而不是更一般的合规要求。 此外，FTC行动的影响远远超出了应用于视频会议服务的范围，并且影响了广泛的电子商务活动。 Alston and Bird的合伙人凯瑟琳·本威（Kathleen Benway）说：“缩放决定绝对适用。美国联邦贸易委员会（FTC）的决定“向所有以电子方式收集消费者个人信息的公司提供了教训。明智的做法是，此类公司应仔细审查Zoom投诉，并确保其系统和流程不会引起类似问题，”她对E-商业时报。 FTC在Zoom案中的指控的特殊性，为委员会关注并可能影响执法的电子商务交易类型提供了一些见解。 FTC在其投诉中表示，至少从2016年开始，Zoom声称其提供“端到端256位加密”来保护用户的通信，从而误导了客户，“事实上，它提供了较低的安全级别。” FTC解释说，端到端加密是一种确保通信安全的方法，因此，只有发送者和接收者（没有人，甚至平台提供商）也无法读取内容。 FTC表示，Zoom保留了实际上可以允许公司访问其客户会议内容的加密密钥，并以较低的加密级别来保证其电话会议的安全。根据Alston和Bird的案例分析，Zoom在2020年4月承认其服务通常无法进行端到端加密。 根据FTC的投诉，Zoom还错误地声称会议结束后立即加密了这些会议，从而误导了一些希望将记录的会议存储在公司云存储中的用户。取而代之的是，据称某些录音未加密地在Zoom的服务器上存储了长达60天，然后才转移到其安全的云存储中。 此外，Zoom部署了与Apple的Safari浏览器有关的操作机制，FTC将其描述为一种在没有充分通知或征得用户同意的情况下绕过Safari安全和隐私保护措施的方法。委员会认为，这种部署构成不公平的行为或作法。

原文：The U.S. Federal Trade Commission is making good on a resolution to strengthen its enforcement of security deficiencies occurring in e-commerce transactions. The agency's recent action involving allegations of improper activities by teleconferencing provider Zoom Video Communications is a notable example.

In a settlement with Zoom, the FTC imposed significantly specific requirements on the company regarding safety and privacy issues associated with Zoom's services. The Nov. 13, 2020 settlement became official after a comment period expired in mid-December.

The FTC said the agreement with Zoom requires the company "to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users."

Zoom neither admitted nor denied the Commission's allegations with its acceptance of the settlement.

Broad E-Commerce Ripple Effect

Importantly in the world of e-commerce, the Commission's action in the Zoom case reflected more than an internal policy of bolstering enforcement of e-commerce issues. The FTC's action also reflected a federal court decision which resulted in the Commission's move to issue stronger and more targeted enforcement actions, versus more general compliance requirements, according to a Cleary Gottlieb case analysis.

Additionally, the impact of the FTC's action goes far beyond application to video conferencing services and affects a broad range of e-commerce activities. "The Zoom decision absolutely applies broadly," said Kathleen Benway, a partner at Alston and Bird. The FTC decision "offers lessons to any company that collects consumers' personal information electronically. Such companies would be wise to closely review the Zoom complaint and order to ensure that their systems and processes don't raise similar issues," she told the E-Commerce Times.

The specificity of the FTC's allegations in the Zoom case provides some insights on the types of e-commerce transactions that are of concern to the Commission and could possibly affect enforcement.

In its complaint, the FTC said that at least from 2016, Zoom misled customers by claiming that it offered 'end-to-end, 256-bit encryption' to secure users' communications, "when in fact it provided a lower level of security." End-to-end encryption is a method of securing communications so that only the sender and recipient -- and no person, not even the platform provider -- can read the content, the FTC explained.

Zoom maintained the cryptographic keys that could actually allow the company to access the content of its customers' meetings, and secured its teleconference meetings, in part, with a lower level of encryption than promised, FTC said. Zoom acknowledged in April 2020 that its services were generally incapable of end-to-end encryption, according to a case analysis from Alston and Bird.

According to the FTC's complaint, Zoom also misled some users who wanted to store recorded meetings on the company's cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom's servers before being transferred to its secure cloud storage.

In addition, Zoom deployed an operational mechanism related to Apple's Safari browser which the FTC characterized as a method which circumvented a Safari security and privacy safeguard, without adequate notice or consent to the user. The Commission contended that the deployment amounted to an unfair act or practice.