A US consumer advocacy group has started a lawsuit against Zoom, the web conferencing software company, alleging it misrepresented the level of security it uses to protect communications.
Zoom’s ‘interesting’ 2020 continues.
The web conferencing software is dealing with a new issue this week, as a lawsuit filed on Tues. alleges the company misrepresented the level of security to protect the conversations of users on its service.
US Non-profit group ‘Consumer Watchdog’, which filed the suit (.PDF) in a Washington DC area court under the District’s Consumer Protection Procedures Act (CPPA) says the service “lulled consumers & businesses into a false sense of security.”
The CPPA, DC’s General Consumer Protection Law, prohibits a range of ‘deceptive business practices.
While the software has existed since 2013, it was not until the early days of the ongoing Coronavirus pandemic that it became a worldwide household name.
Initially, it seemed as if Zoom was fully protecting users’ communications with the most capable form of encryption, end-to-end; the company used the phrase in company white papers, something which surely attracted customers.
When pushed, the service revised their claims, explaining that it really supports ‘transport encryption’, meaning its video meetings, using a combination of TLS and UDP, were encrypted with AES, an encryption specification.
The company issued a blog in early April to apologise, & put right confusion surrounding the matter.
“While we never intended to deceive any of our customers, we recognise that there is a discrepancy between the commonly accepted definition of end-to-end encryption, & how we were using it,” Zoom’s Chief Product Officer, Oded Gal, said at the time.
After greater examination, Zoom eventually confirmed it would be rolling out end-to-end encryption, but only for paid users.
When these plans were met with even greater criticism, the company changed course, & explained it would provide E2E encryption for both paid users & non-paying users, just as long as non-paying supply an extra piece of information about themselves, e.g. a phone message, for verification purposes.
The new lawsuit alleges the company misled users through claiming it had end-to-end encryption right from the start.
The lawsuit also alleges that by continuing to fail to implement end-to-end encryption, the company has put its server, some which routed some of their data & conversations through servers in China, at a greater risk.
The company admitted that it ‘mistakenly’ allowed calls to go through China.
That issue – the company’s connection to China – has annoyed US Senators this summer, too. Senators Richard Blumenthal (D-Conn.) & Josh Hawley (R-Mo.) asked the US Department of Justice to look into the app’s ties to China in Jun. In an effort to reduce those ties, Zoom recently announced that it would stop direct sales to customers in China by Aug. 23, earlier this month.
Responding to this week’s lawsuit, Zoom commented that it was still working on ‘fine-tuning’ E2E encryption on the service.
“We take privacy & security extremely seriously & are committed to continuous enhancements, including the timely beta testing & implementation of end-to-end encryption,” a spokesman explained.
California Consumer Privacy Act
The case is the latest of a number of lawsuits against Zoom. More cases have been filed concerning violations of the California Consumer Privacy Act, issues emerging from so-called “zoom-bombings”, where disruptive visitors ‘hijack’ Zoom meetings with stolen meeting IDs. Another suit alleges that Zoom made it easier for social media companies e.g. LinkedIn & Facebook to mine users’ data.
The case remains undecided, but in addition to an order from the court prohibiting Zoom from misrepresenting the level of security it offers, it is also seeking financial damages.
Washington DC’s CCPA allows statutory damages of $1,500 per each violation. While those instances would only apply to non-business uses of Zoom, it could still amount to a sizable amount, especially given the app’s widespread usage of late.