Zoom’s $85 million settlement in user privacy and “Zoombombing” lawsuit

Zoom's exponential growth during the pandemic brings light to never ending data privacy issues

Zoom accused of violating privacy and security laws

Since the Covid-19 pandemic started, millions of people were forced to study and work from home. Zoom has become the most popular tool for organizing conference calls for employees, students, and even government organizations.^[1] Zoom originally had been developed for large businesses with in-house IT staffers who could set up and run the software, and the enormous spike in users increased attention on the program's security and privacy flaws.

In this class-action lawsuit, the video-conferencing company is being accused of deceiving users about its end-to-end encryption, hiding security flaws, and disclosing personal information to Facebook, Google, and LinkedIn as well as “zoombombing.”^[2]

If the settlement is approved, the $85 million will be allocated among Zoom's users. Those who paid for an account will be eligible to receive 15% of the money they paid to Zoom for their core Zoom Meetings subscription or $25 from April to October 2020. Those who used a free version of the software may be eligible to receive up to $15.

Consequences of neglecting user security and misleading information

The main problems brought up in this lawsuit are Zoom's vague explanation about its encryption capabilities, user data sharing with digital platforms without consent and improper security and privacy controls, which resulted in “zoombombings”.

Zoom claimed its meetings use end-to-end encryption if every participant calls in from a computer or a Zoom mobile app instead of over the phone. But it came out that Zoom's definition of “end-to-end” is not as everyone else's. Other companies take end-to-end encryption to mean that servers that relay messages from one endpoint to another can't decrypt the messages. Zoom does not have that. This can lead to unauthorized access to any content that users share during meetings and it is worrying when the company has previously admitted to giving its user's information to the Chinese government.

It was a shocking discovery that the video-call company upon each opening of the Zoom App, collects personal information of its users and discloses this personal information to third parties, including Facebook, invading the privacy of millions of users. The iOS version of Zoom's app sends analytics to Facebook even for users who don't have a Facebook account. It is not uncommon for apps to offer an option to log in with Facebook, but the issue is that Zoom did not state in its privacy policy that it would send data to the tech giant.

Zoombombing has become a phenomenon on the internet where outsiders hijack Zoom meetings and display pornography, use racist language or post other disturbing content. This has left many users feeling unsafe and annoyed as it can lead to sensitive information shared during the meetings being leaked.

The lawsuit might finally lead to Zoom Video Communications fixing major privacy problems

In a blog post on April 1, Zoom Chief Product Officer Oded Gal wrote that “we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.”^[3]

After criticism from privacy advocates, Zoom announced it is going to enable E2E as an advanced add-on feature for all of the users – free and paid. But if you're a free user who wants E2E, you will first have to verify your identity to Zoom via a one-time password or similar service. This will make it more difficult for “zoombomb” meetings. It will be the meeting host's choice whether to activate E2E.

Zoom has also removed its “Login with Facebook” feature using the Facebook SDK for iOS as the Facebook SDK was collecting device information unnecessary for Zoom to provide its services. Zoom will not reintegrate the Facebook software development kit (SDK) for iOS into Zoom meetings for a year and request that Facebook delete any US user data obtained from the SDK.

Hopefully, this lawsuit brings change to how Zoom treats user privacy and forces the company to fully disclose how it uses people's personal information in its privacy policy. Cybersecurity is becoming more and more relevant when people use computers and the internet to exchange and store information.