Zoom Under Investigation for Deceptive Security and Privacy Practices
Schubert Jonckheer & Kolbe today launched an investigation into Zoom Video Communications, Inc. for its allegedly abusive privacy and security practices, including its troubling and potentially illegal practices concerning encryption, user data, and video recordings. In recent weeks, Zoom has come under fire for its privacy practices and is already facing three class actions over the issues.
Among the many privacy and security issues facing the company, Zoom allegedly failed to “end-to-end” encrypt its group video conferencing (despite claiming that it did), turned over sensitive user data to Facebook in violation of its privacy policy, and failed to safeguard its users’ video recordings (allowing thousands of private videos to be viewed online).
Zoom Allegedly Misled Its Users About Encryption of Group Videos
On its apps, website, and security white papers, Zoom claims that is video conferences are “end-to-end” encrypted. However, as The Intercept recently reported, “despite this misleading marketing, the service does not actually support end-to-end encryption for video and audio content, at least as the term is commonly understood.” Indeed, a Zoom spokesperson admitted that “it is not possible to enable E2E encryption for Zoom video meetings.”
As The Intercept explained, for a Zoom meeting to be end-to-end encrypted, “the video and audio would need to be encrypted in such a way that only the participants in the meeting would have the ability to decrypt.” Zoom, however, doesn’t use this form of encryption, giving the company the ability to listen in on its users’ private meetings and potentially exposing them to third parties. Indeed, without end-to-end encryption, “Zoom has the technical ability to spy on private video meetings and could be compelled to hand over recordings of meetings to governments or law enforcement,” including foreign dictatorships seeking to suppress public dissent.
If a reasonable consumer used Zoom with the understanding that it had end-to-end encryption when it, in fact, did not, Zoom’s marketing may be false and misleading in violation of numerous state and federal laws.
Zoom Allegedly Provided User Data to Facebook in Violation of Its Privacy Policy
Unbeknownst to its users, Motherboard recently revealed that the Zoom notifies Facebook when users open its app and provides details on users’ devices and behaviors, including the time zone and city from which they’re connecting, the phone carrier they use, and a unique advertising identifier, which companies can use to track users and target them with advertisements.
Nowhere did Zoom disclose this policy to it users. Rather, the company’s privacy policy fails to explicitly mention anything about sending data to Facebook, even for users who don’t have a Facebook account at all. As one activist from Privacy Matters, who has analyzed Zoom’s privacy policy, explained to Motherboard, “That’s shocking. There is nothing in the privacy policy that addresses that.”
Zoom’s failure to disclose the user data that it provides to Facebook may also violate Facebook’s own terms and conditions, which require companies to “represent and warrant that you have provided robust and sufficiently prominent notice to users regarding Customer Data collection, sharing, and usage.” Facebook also requires all apps who use their tools to disclose to their users that “third parties, including Facebook, may collect or receive information from your app and other apps and use that information to provide measurement services and targeted ads.” Yet, according to Motherboard, Facebook failed to do that here.
Zoom’s failure to disclose that it was providing its data to Facebook may violate numerous state and federal laws, and Zoom users may be entitled to monetary damages as a result.
Zoom Allegedly Allowed Private Videos to Be Exposed on the Open Web
As the Washington Post recently reported, thousands of personal Zoom video recordings are exposed on the open web, where they can be accessed by anyone. As a result, the Washington Post was able to view recordings of “one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary school classes, in which children’s faces, voices and personal details were exposed.”
Because Zoom named every recording using a uniform convention and failed to encrypt or protect them in any way, thousands of these Zoom videos can easily be searched online on Amazon’s online storage, enabling potentially anyone to access highly personal and intimate videos, often recorded in people’s homes. As the Washington Post explained, “the videos can be found on unprotected chunks of Amazon storage space, known as buckets, which are widely used across the Web, and “thousands of other Zoom clips, all of them named in the same way, have been uploaded onto the video sites YouTube and Vimeo.”
Many of these videos include personally identifiable information, and Zoom’s failure to safeguard this data by following industry best practices may violate numerous state and federal laws.
In light of the serious security and privacy issues facing Zoom, the Schubert Firm is investigating whether these practices are unlawful. Zoom users may be able to participate in a class action lawsuit seeking damages and changes to the company’s privacy practices. Even users who only accessed Zoom’s free service may be entitled to statutory damages.
If you used Zoom and would like to learn more about your legal rights—or would like to participate in the class action lawsuit—please complete the form below.