Since its explosion in popularity due to widespread teleworking, Zoom has faced a significant increase in litigation. A class action complaint was filed against the company in March, the SEC filed a suit in April, and several attorneys general have raised concerns the company, and another class action suit has claimed Zoom allowed Facebook and LinkedIn to eavesdrop on their conversation. In April alone, Zoom was sued 17 times, ranging from securities fraud to breach of contract for privacy violations, and for false and misleading statements about its security and privacy practices. The most recent class action complaint filed against Zoom claims that it broke its contract with plaintiffs over privacy violations.
Plaintiffs Adam Buxbaum and Deborah Blum state that Zoom assures: “[w]e do not sell your personal data”; “[y]our meetings are yours. We do not monitor them or even store them after your meeting is done”; “Zoom collects only the user data that is required to provide you Zoom services”; “[w]e do not use data obtained from your use of our services, including your meetings, for any advertising”; “[w]e take security seriously and we are proud to exceed industry standards when it comes to your organizations [sic] communications”; “Zoom is committed to protecting your privacy.” However, they claim that the “platform was riddled with security vulnerabilities, who transmitted user’s personal information surreptitiously to third parties without the users’ knowledge and consent, and whose public representations about the privacy of its video-conferencing platform were false and misleading.” Buxbaum and Bloom have sought certification as representatives in a class action, an injunction to safeguard the Class’s personal information, an award for damages, an award for costs and fees, and other relief as determined by the court.
Specifically, the plaintiffs claim that Zoom failed to identify and address its security vulnerabilities in a timely fashion. For example, bad actors were able to “take over users’ actions on the Zoom web app” or “to run malicious code on computers using Zoom software.” A security flaw in Zoom enabled a hacker to “remotely disrupt a meeting – without even being on the call” and take over a user’s account and install malware. Security flaws also enabled a hacker to “secretly observe users’ video calls” or use Zoom to “gain access to the deepest levels of a user’s computer.” It took Zoom at least three months to address these issues. The Electronic Privacy Information Center (EPIC) filed a complaint with the FTC claiming that “Zoom’s business practices jeopardize the ‘privacy and security of the users of its services.’” Zoom “bypass[es] browser security settings and remotely enable[s] a user’s web cam without the consent of the user.” Zoom apparently took about three months to fix an issue that could have been fixed in a few days. However, Zoom’s fix allegedly did not resolve the issue.
Buxbaum and Bloom state that Zoom did not provide end-to-end encryption as it had promised its users. They state that “Zoom not only failed to provide end-to-end encryption, but it also lacked the technical capacity to do so.” However, because Zoom is not end-to-end encrypted, the company had access to all the videos and audios on its platform. The plaintiffs state that Zoom misled users by claiming its platform had this type of encryption when it did not.
Echoing some of the earlier lawsuits, the plaintiffs allege Zoom “transmits user data surreptitiously to Facebook without user knowledge or consent.” Facebook requires developers to inform users that use Facebook’s software development kit (SDK) that using the SDK “will result in the transmission of analytics and other user information to Facebook.” As a result, plaintiffs claim that Facebook should have informed users and obtained their consent. Zoom also allegedly “surreptitiously mines user data and transmits to LinkedIn.” Zoom performed this action without obtaining consent from users. This “data-mining feature was available to Zoom users who subscribed to a LinkedIn service for sales prospecting, called LinkedIn Sales Navigator. Once a Zoom user enabled the feature, that person could quickly and covertly view LinkedIn profile data…for people in the Zoom meeting by clicking on a LinkedIn icon next to their names.” Zoom supposedly did not acknowledge or address this data procedure in its privacy policy.
The plaintiffs further allege that as a result of Zoom’s poor privacy practices thousands of Zoom users had their personally identifying information leaked, “including their email address and photo.” This allegedly results in “giving strangers the ability to attempt to start a video call with them through Zoom.” Furthermore, Zoom exploits, which had yet to been fixed by the company, were offered for sale on the dark web. Additionally, it was reported that “thousands of personal Zoom videos have been left viewable on the open Web.” These can include personally identifiable information and private conversations and the way Zoom names videos would allegedly allow someone to piece together different conversations. Plaintiffs state that zoombombing, or disrupting a Zoom video, has also been an issue. In April, a Zoom data breach exposed 500,000 user names and passwords and other personally identifiable information. Plaintiffs Buxbaum and Blum state that Zoom’s inadequate privacy and security measures have left users and the government with huge risks to manage, and they state that Zoom must help fix the aftermath.
This is not the only recent lawsuit brought against Zoom. Greenbaum v. Zoom, filed last week, claims that Zoom has been slow to fix security flaws in light of its growth. Simins v. Zoom claims that users expect Zoom to be secure and private, a standard Zoom failed to uphold. The complaint alleges that Zoom’s app deliberately bypasses Mac security features and Cisco endpoints. These allegations join others that are common in previously filed suits.