[Kavya] You’re listening to the Berkeley Technology Law Journal Podcast. I’m Kavya Dasari.
[Meg] I’m Meg Sullivan.
[Jonathan] And I’m Jonathan Baer. Here are some headlines about what’s been happening This Week in Tech Law.
[Meg] Today we’ll be covering Zoom’s settlement with the Federal Trade Commission, an antitrust case against Amazon in the European Union, and the U.S. Department of Justice’s antitrust lawsuit challenging Visa’s acquisition of a fintech start-up.
[Kavya] On Monday, November 9th, the Federal Trade Commission and Zoom Video Communications Inc. reached a settlement on claims brought against the company over allegedly deceptive and unfair cybersecurity practices.1 While the FTC investigation began over a year ago,2 calls for an investigation into Zoom’s security practices increased in early April amidst increased usage of the platform and mounting security and privacy concerns.3 During the COVID-19 pandemic, the video conferencing platform’s user base has grown tremendously from 10 million users in December 2019 to 300 million users in April 2020.4
The FTC alleged that Zoom misled its users about its encryption protection.5 The company advertised that it secures users’ communications using end-to-end encryption,6 which protects communications so that they can be read only by the sender and the recipient.7 Neither third-parties nor the platform provider has access to the content when using this type of encryption.8 Contrary to how the company marketed its security services, however, Zoom had access to cryptographic keys, which allowed the company to access the content of meetings held on the platform and provided a lower level of encryption than the company promised to its users.9
Further, the FTC alleged that Zoom made false claims to users that recorded meetings would be immediately encrypted following the meeting and stored on its secure cloud storage.10 However, some recordings were kept unencrypted for up to sixty days on the company’s servers before they were transferred to its encrypted cloud storage.11 The Commission explained that Zoom also compromised user security by covertly installing a software called “ZoomOpener web server” in July 2018 as part of a Mac desktop application update.12 This software automatically opens the Zoom app by bypassing an Apple Safari browser safeguard meant to protect users from common types of malware.13 The FTC noted that even after users had deleted the Zoom app, this software remained on their computers and, in certain situations, would automatically reinstall the Zoom app without user knowledge or approval.14 In July 2019, Apple removed ZoomOpener web server from the computers of its users through an automatic update.15
The settlement between the FTC and Zoom was approved by a 3-2 vote by the Commission,16 and it contains a range of provisions Zoom is required to satisfy.17 For instance, Zoom is required to assess and document potential security risks annually and formulate solutions to correct these vulnerabilities.18 Additionally, the company is prohibited from making misrepresentations on “how it collects, uses, maintains, or discloses personal information [and] its security features,” among other privacy and security practices.19 Further, the FTC requires biennial assessments of Zoom’s security program from an independent third party for the next twenty years.20 The commission did not impose monetary penalties because the FTC Act does not permit such penalties for first-time violations of the Act.21
Commissioners Rebecca Kelly Slaughter and Rohit Chopra issued separate dissenting statements on the settlement.22 Notably, Commissioner Slaughter expressed dissatisfaction with the settlement’s “requir[ing] Zoom only to establish procedures designed to protect user security and fail[ing] to impose any requirements directly protecting user privacy.”23 Commissioner Chopra on the other hand argued that the FTC’s current approach to privacy violations is ineffective, and that this settlement “provides no help for affected users” like customers and competitors who were harmed by deception, which “distorts the marketplace.”24
In the majority statement, FTC Chairman Joe Simons, and Commissioners Noah Joshua Phillips and Christine S. Wilson, expressed their support for the consent order, stating that the settlement “provides immediate and important relief to consumers” and “ensures that Zoom will prioritize consumers’ privacy and security.”25 The majority also stated that “[t]his case reflects the Commission’s ongoing commitment to work on behalf of consumers to respond to the panoply of new challenges presented by COVID-19.”26
Zoom responded to the settlement in a statement on November 9th, saying that user security is a top priority for the company.27
[Meg] On Tuesday, November 10th, EU regulators filed antitrust charges against Amazon, alleging that the company violated EU competition laws by using nonpublic data from small business merchants who sell on Amazon’s platform to guide its own retail decisions.28
The European Commission, the executive branch of the European Union, alleges that Amazon exploits its dual role as both a market platform used by other vendors and a competing vendor that stocks and sells its own products on Amazon.com.29 Approximately 2.3 million merchants use Amazon’s platform around the world,30 and small and midsize merchants account for “[m]ore than half of Amazon’s global product sales” according to Recode.31 EU regulators claim that Amazon harvests nonpublic data from vendors that use the Amazon marketplace and then analyzes that data to identify popular products, replicate them, and sell them, oftentimes at a lower price.32
According to Margrethe Vestager, the EU Competition Commissioner, the case comes down to Amazon’s advantage due to its use of “big data” from its retailers.33 Vestager said, “[o]ur concern is not about Amazon retail — about the insights that Amazon retail has into the sensitive business data of one particular seller. Rather they are about the insights that Amazon retail has about the accumulated business data of more than 800,000 active sellers in the European Union covering more than 1BN products.”34
In a statement responding to the charges, Amazon said “[w]e disagree with the preliminary assertions of the European Commission and will continue to make every effort to ensure it has an accurate understanding of the facts. . . . No company cares more about small businesses or has done more to support them over the past two decades than Amazon.”35
The European Union’s charges against Amazon are part of a pattern of increasing global regulatory scrutiny over large tech companies.36 For example, in July, Amazon’s CEO Jeff Bezos appeared before the House Judiciary Subcommittee on Antitrust, Commercial and Administrative Law to answer questions about the ways in which Amazon profits from and potentially competes against small and midsized merchants that sell goods on Amazon’s platform.37 Additionally, at the end of last month, the Department of Justice brought antitrust charges against Google for allegedly using monopolistic tactics related to its search engine.38
The European Commission’s charges were expected for months before they were filed on Tuesday, November 10th.39 Amazon has the opportunity to respond to the charges, but it could be months or years before the Commission reaches a conclusion.40 Ultimately, Amazon may face fines and other penalties, reach a settlement with EU regulators, or have the case be dropped.41
[Jonathan] On Thursday, November 5th, the DOJ filed an antitrust lawsuit to block Visa from acquiring Plaid, a fintech startup.42 Plaid, which had previously raised over $300 million from its investors, develops application programming interfaces (commonly known as APIs) for companies in the financial services space that help “developers share banking and other financial information more easily.”43 Plaid’s APIs provide the technical infrastructure for many popular finance apps, such as Venmo.44 In January, Visa announced that it would be acquiring Plaid for $5.3 billion.45
The Department of Justice’s lawsuit, filed in the U.S. District Court for the Northern District of California, alleges that the acquisition would eliminate the competitive threat Plaid could pose to Visa in the online debit market.46 According to the DOJ, this would allow Visa to maintain a monopoly in the online debit market, potentially leading to less innovation and higher entry barriers for online debit services.47 The DOJ alleges that the deal would violate Section 2 of the Sherman Act and Section 7 of the Clayton Act.48
In response, Visa stated that the lawsuit is “legally flawed and contradicted by the facts…The combination of Visa and Plaid will deliver substantial benefits for consumers seeking access to a broader range of financial-related services . . . .”49 Plaid has yet to comment on the lawsuit.50
Visa has a history of legal conflicts with the DOJ Antitrust Division.51 In 1998, the DOJ sued Visa and MasterCard, alleging the two companies colluded to prevent banks from doing business with other credit card companies.52 In 2001, Visa and MasterCard were ultimately ordered to end such conduct.53 More recently in 2010, the DOJ sued Visa, MasterCard, and American Express, contending that “the three companies violated antitrust laws by enforcing anti-steering provisions that prohibited merchants from offering customers lower-fee credit cards.”54 Visa ended up settling that case with the DOJ.55
A Visa spokesman said that the company “intends to defend the transaction vigorously.”56
[Kavya] Thank you for listening! The BTLJ Podcast is brought to you by Podcast Editors Andy Zachrich and Haley Broughton. Today’s episode was written by Kavya Dasari, Meghan Sullivan, and Jonathan Baer, and was produced by Diming Xu.
[Meg] Our Executive Producer is BTLJ Senior Online Content Editor Allan Holder, and BTLJ’s Editor-in-Chief is Emma Lee.
[Jonathan] We are committed to bringing you interesting news at the intersection of technology and the law. If you enjoyed our podcast, please support us by subscribing and rating us on Apple Podcasts, Spotify, or wherever you listen to your podcasts.
[Kavya] If you have any questions, comments, or suggestions, write us at email@example.com.
[Meg] The information presented here does not constitute legal advice and is only up-to-date as of Friday, November 13th.
[Jonathan] This podcast is intended for academic and entertainment purposes only.