Zoom agreed to pay $ 85 million to settle claims that it lied about offering end-to-end encryption and handed over user data to Facebook and Google without users’ consent. The settlement between Zoom and the class-action filers also covers the security concerns that led to “Zoombings” rampant.
The proposed agreement it would typically give Zoom users $ 15 or $ 25 each and it was filed Saturday in the US District Court for the Northern District of California. It came nine months after Zoom agreed to security enhancements and a “ban on privacy and security misrepresentations” in a settlement with the Federal Trade Commission, but the FTC settlement did not include compensation for users.
As we wrote in November, the FTC said Zoom claimed that it offers end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guides, in a January 2019 whitepaper, in an April blog post. 2017 and in direct responses to inquiries from clients and potential clients. In reality, “Zoom did not provide end-to-end encryption for any Zoom meetings that took place outside of Zoom’s ‘Connecter’ product (which is hosted on the customer’s own servers), because Zoom’s servers, including some located in China, they hold the cryptographic keys that would allow Zoom to access the content of its clients’ Zoom meetings, “the FTC said. In real end-to-end encryption, only the users themselves have access to the keys necessary to decrypt the content.
The new class action settlement applies to Zoom users nationwide, regardless of whether they used Zoom for free or paid for an account. If the court approves the settlement, “Class members who paid for an account will be eligible to receive 15 percent of the money they paid Zoom for their primary Zoom Meetings subscription during that time. [March 30, 2016, to July 30, 2021] or $ 25, whichever is greater, “the agreement read.” Class members who are not eligible to submit a Paid Underwriting Claim may submit a claim for $ 15. These amounts may be adjusted, prorated, up or down, depending on the volume of claims, the amount of any award fees. and expenses, payments of services to class representatives, taxes and expenses of taxes and expenses of administration of the agreement “.
Class attorneys would receive attorney fees of up to 25 percent of the $ 85 million and up to $ 200,000 for reimbursement of expenses. About a dozen named plaintiffs are seeking approval for payments of $ 5,000 each. A hearing on the plaintiffs’ motion for preliminary approval of the settlement is scheduled for October 21, 2021.
In addition to payments, Zoom “agreed to more than a dozen major changes to its practices designed to improve meeting security, strengthen privacy disclosures and safeguard consumer data,” according to the agreement.
With the pandemic boosting its video conferencing business, Zoom more than quadrupled its annual revenue of $ 622.7 million to $ 2.7 billion in the 12 months ended January 31, 2021. Zoom also reported $ 672 million in net revenue for the 12-month period, up from $ 25.3 million the prior year . Zoom is on track to perform better this year as reported First quarter revenue (February-April) of $ 956.2 million and net income of $ 227.5 million.
Zoom cannot redefine end-to-end encryption
An amended class action lawsuit complain filed in May 2021, it said that despite Zoom’s bogus end-to-end (E2E) encryption promises, “the encryption keys for each meeting are generated by Zoom’s servers, not client devices.” .
The connection between the Zoom application running on a user’s computer or phone and the Zoom server is encrypted in the same way that the connection between a web browser and a website is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. In a Zoom meeting using this encryption technology, video and audio content will remain private from anyone spying on Wi-Fi, but will not remain private from the company or, presumably, from anyone with whom the company shares its access voluntarily, by obligation of law (eg, at the request of law enforcement agencies), or involuntarily (eg, a hacker who can infiltrate company systems). With true E2E encryption, the encryption keys are generated by the client (client) devices and only meeting participants have the ability to decrypt it.
Zoom’s website stated that its service allows a host “[s]host a meeting with end-to-end encryption “and that” Zoom’s security solution and architecture provides end-to-end encryption and meeting access controls so data in transit cannot be intercepted, “according to the complaint. But Zoom is not entitled to its own definition of end-to-end encryption, the class action lawsuit said. “The definition of end-to-end encryption is not subject to interpretation in the industry,” the lawsuit said. “Zoom’s misrepresentations are a stark contrast to other video conferencing services, such as Apple’s FaceTime, which have taken on the more challenging task of implementing true E2E encryption for a multi-party call. “
Zoom’s failure to provide end-to-end encryption was reported by The Intercept in March 2020. Zoom’s response to that article “made it clear that Zoom knew it was not using the industry-accepted definition of E2E encryption and had made a conscious decision to use the term ‘end-to-end’ anyway. “. the lawsuit said.
The Zoom app used to include a text box that was revealed by “hovering over the green padlock in the upper left corner” and saying, “Zoom is using an end-to-end encrypted connection,” the complaint noted, adding that ” Zoom has since changed this text to simply say that the session is encrypted. “
In April 2020, Zoom He apologized “From the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption … Although we never intended to mislead any of our clients, we acknowledge that there is a discrepancy between the commonly accepted definition of encryption from end-to-end and how we were using it. “
In October 2020, zoom Announced Availability of a “technical preview” of your first real end-to-end encryption offering. Zoom of website says the offering is still in the technical preview stage “and disables several other features”, so Zoom recommends it “only for meetings where additional protection is needed.”
Give user data and allow zoom blitz
Zoom users relied on the company’s promises that “Zoom does not sell user data” and that “Zoom takes privacy seriously and adequately protects users’ personal information,” the lawsuit says. Class members did not understand that “Zoom would collect and share [their] Personal information with third parties, including Facebook and Google “and” allow third parties, such as Facebook and Google, to access [their] personal information and combine it with content and information from other sources to create a unique identifier or profile of [each user] for advertising and behavioral influencing purposes, “he continued.
Because Zoom implemented the Facebook SDK, user data was sent by Zoom to Facebook “regardless of whether the user has created a Zoom or Facebook account, and worse, before the user has found them. Zoom’s terms and conditions or any privacy disclosure, “the lawsuit said. Although Zoom allegedly “removed the Facebook SDK, Zoom continues to share equally valuable user data with Google through Google’s Firebase Analytics SDK, also built into the Zoom app. The plaintiffs never granted third parties permission to extract and use that data. In fact, they weren’t even aware of the data transmission. ” In addition to Facebook and Google, Zoom “sends personal data about its users to hotjar, Zendesk, AdRoll, Bing, and others.”
The lawsuit also said Zoom blamed users for a series of Zoom bombings even though the problem was due to Zoom’s security deficiencies. Zoom could have limited meeting interruptions by unauthorized participants with “relatively simple technical fixes … for example, making it easy for hosts to cancel a meeting and / or eject a zoom bomber with the push of a button, default setting of screen sharing control, or implement stronger meeting security protocols (admission of attendees), such as identity verification or unique access codes for meetings, “the lawsuit says.
“As early as March 20, 2020, Zoom admitted that their product had a problem with Zoombombing. However, instead of changing the security protocols and default features, Zoom turned its back on its users, claiming they were to blame. of his inability to use the program correctly, “said the complaint.
The settlement “requires Zoom not to reintegrate the Facebook SDK for iOS into Zoom meetings for one year” and to ask Facebook to “remove any US user data obtained from the SDK.” The security and transparency changes that Zoom agreed to also include the following:
- Develop and maintain, for at least three years, documented protocols and procedures to support third-party applications for dissemination to users through the Zoom Marketplace.
- Develop and maintain a user assistance ticket system for internal monitoring and communication with users about reports of meeting interruptions.
- Develop and maintain a documented process for communicating with law enforcement about meeting disruptions involving illegal content, including staff dedicated to reporting serial meeting disruptions to law enforcement.
- Develop and maintain security features such as attendee waiting rooms, meeting suspension button, and country-specific user lockout for a minimum of three years.
Zoom would be needed “to better educate users on the security features available to protect meeting security and privacy, through dedicated space on the Zoom website and banner notifications.” The Zoom website will also need to include “centralized information and links for parents whose children are using K-12 accounts provided by the school.”
After the deal was announced, Zoom gave the media a statement admitting no wrongdoing. “The privacy and security of our users are Zoom’s top priorities, and we take seriously the trust our users place in us,” said Zoom. “We are proud of the advancements we have made on our platform and look forward to continuing to innovate with privacy and security at the forefront.”