This article was originally published on the Privacy & Security Blog on Nov. 11, 2020. The following is the introduction. 

It was inevitable. On Monday, Zoom joined an exclusive club of tech companies – Facebook, LinkedIn, Twitter, Microsoft, Google, Uber, Snap, and more. This club involves companies that have been under a Federal Trade Commission (FTC) consent decree. In a weird sense, for tech companies, being enforced against by the FTC for a privacy or security violation has become an initiation ritual to being recognized in the pantheon of the tech company big leagues.

As is the typical process, the FTC announced a complaint and consent order against Zoom for a violation of Section 5 of the FTC Act. More specifically, the FTC charged Zoom with unfair and deceptive data security practices related to encryption and efforts to bypass browser security safeguards.

The Zoom case is notable for several reasons. It signals that Zoom has arrived and is in the club. It’s hard to escape Zoom these pandemic-riddled days; their platform has become the go-to for videoconferencing, and Zoom is becoming a verb. Although we appreciate Zoom, we long for the days when people would just ask to talk with us rather than Zoom with us.

In the end, Zoom proved to have a similar story to the other FTC enforcement actions against tech companies – all had some serious privacy and security problems. Having read all of the FTC cases, what is shocking is that the infractions are not ambiguous or open to a lot of interpretation. They are rather egregious problems. The FTC rarely brings cases unless it has a slam dunk. Why doesn’t any company learn from its predecessors? Why do they all seem to pick up an FTC enforcement action along the way?

Beyond the case involving the new tech “prodigy” Zoom that everyone is buzzing about, this case involves some new developments about FTC jurisprudence as well as a blistering critique of the FTC by Commissioners Rebecca Kelly Slaughter and Rohit Chopra. This critique has been developing through their dissents in the Facebook and Equifax cases. In the Zoom case, their critique has developed into a broader charge that the FTC needs to take a bolder new approach in its enforcement. Are they right?

We’ll explore these issues in this post. First, we’ll discuss some of the notable parts of the complaint and consent decree. Then we’ll turn to the dissents.

Read the full post here

Daniel J. Solove

Reporter, Data Privacy Principles

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School.  He is also the founder of TeachPrivacy, a company that provides computer-based privacy and data security training.  One of the world’s leading experts in privacy law, Solove is the author of 10+ books and textbooks and 50+ articles. He served as co-reporter on the ALI’s Principles of Law, Data Privacy. Professor Solove writes at LinkedIn as of its “thought leaders,” and he has more than 1 million followers.  He more routinely blogs at Privacy+Security Blog.

Woodrow Hartzog

Northeastern University School of Law

Woodrow Hartzog is a Professor of Law and Computer Science at Northeastern University School of Law and the Khoury College of Computer Sciences. He is also a Faculty Associate at the Berkman Klein Center for Internet & Society at Harvard University, a Non-resident Fellow at The Cordell Institute for Policy in Medicine & Law at Washington University, and an Affiliate Scholar at the Center for Internet and Society at Stanford Law SchoolHe is the author of Privacy’s Blueprint: The Battle to Control the Design of New Technologies, published in 2018 by Harvard University Press.


Submit a Comment

Your email address will not be published. Required fields are marked *