This article was originally published on the Privacy & Security Blog on Nov. 11, 2020. The following is the introduction.
It was inevitable. On Monday, Zoom joined an exclusive club of tech companies – Facebook, LinkedIn, Twitter, Microsoft, Google, Uber, Snap, and more. This club involves companies that have been under a Federal Trade Commission (FTC) consent decree. In a weird sense, for tech companies, being enforced against by the FTC for a privacy or security violation has become an initiation ritual to being recognized in the pantheon of the tech company big leagues.
As is the typical process, the FTC announced a complaint and consent order against Zoom for a violation of Section 5 of the FTC Act. More specifically, the FTC charged Zoom with unfair and deceptive data security practices related to encryption and efforts to bypass browser security safeguards.
The Zoom case is notable for several reasons. It signals that Zoom has arrived and is in the club. It’s hard to escape Zoom these pandemic-riddled days; their platform has become the go-to for videoconferencing, and Zoom is becoming a verb. Although we appreciate Zoom, we long for the days when people would just ask to talk with us rather than Zoom with us.
In the end, Zoom proved to have a similar story to the other FTC enforcement actions against tech companies – all had some serious privacy and security problems. Having read all of the FTC cases, what is shocking is that the infractions are not ambiguous or open to a lot of interpretation. They are rather egregious problems. The FTC rarely brings cases unless it has a slam dunk. Why doesn’t any company learn from its predecessors? Why do they all seem to pick up an FTC enforcement action along the way?
Beyond the case involving the new tech “prodigy” Zoom that everyone is buzzing about, this case involves some new developments about FTC jurisprudence as well as a blistering critique of the FTC by Commissioners Rebecca Kelly Slaughter and Rohit Chopra. This critique has been developing through their dissents in the Facebook and Equifax cases. In the Zoom case, their critique has developed into a broader charge that the FTC needs to take a bolder new approach in its enforcement. Are they right?
We’ll explore these issues in this post. First, we’ll discuss some of the notable parts of the complaint and consent decree. Then we’ll turn to the dissents.
Read the full post here.