Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without the consent of users. The settlement between Zoom and the filers of a class-action lawsuit also covers security problems that led to rampant “Zoombombings.”
The proposed settlement would generally give Zoom users $15 or $25 each and was filed Saturday at US District Court for the Northern District of California. It came nine months after Zoom agreed to security improvements and a “prohibition on privacy and security misrepresentations” in a settlement with the Federal Trade Commission, but the FTC settlement didn’t include compensation for users.
As we wrote in November, the FTC said that Zoom claimed it offers end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guides, in a January 2019 white paper, in an April 2017 blog post, and in direct responses to inquiries from customers and potential customers. In reality, “Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom’s ‘Connecter’ product (which are hosted on a customer’s own servers), because Zoom’s servers—including some located in China—maintain the cryptographic keys that would allow Zoom to access the content of its customers’ Zoom Meetings,” the FTC said. In real end-to-end encryption, only the users themselves have access to the keys needed to decrypt content.
The new class-action settlement applies to Zoom users nationwide, regardless of whether they used Zoom for free or paid for an account. If the settlement is approved by the court, “class members who paid for an account will be eligible to receive 15 percent of the money they paid to Zoom for their core Zoom Meetings subscription during that time [March 30, 2016, to July 30, 2021] or $25, whichever is greater,” the settlement said. “Class members who are not eligible to submit a Paid Subscription Claim may make a claim for $15. These amounts may be adjusted, pro rata, up or down, depending on claim volume, the amount of any fee and expense award, service payments to class representatives, taxes and tax expenses, and settlement administration expenses.”
The class lawyers would get attorneys’ fees of up to 25 percent of the $85 million and up to $200,000 for reimbursement of expenses. About a dozen named plaintiffs are seeking approval of payments of $5,000 each. A hearing on the plaintiffs’ motion for preliminary approval of the settlement is scheduled for October 21, 2021.
In addition to payments, Zoom “agreed to over a dozen major changes to its practices, designed to improve meeting security, bolster privacy disclosures, and safeguard consumer data,” the settlement said.
With the pandemic boosting its videoconferencing business, Zoom more than quadrupled its annual revenue from $622.7 million to $2.7 billion in the 12 months ending January 31, 2021. Zoom also reported $672 million in net income for the 12-month period, up from $25.3 million the previous year. Zoom is on pace for even better results this year, having reported Q1 (February-April) revenue of $956.2 million and net income of $227.5 million.
Zoom can’t redefine end-to-end encryption
An amended class-action complaint filed in May 2021 said that, despite Zoom’s false promises of end-to-end (E2E) encryption, “the encryption keys for each meeting are generated by Zoom’s servers, not by the client devices.”
It continued:
The connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between a web browser and a website is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. In a Zoom meeting utilizing this encryption technology, the video and audio content will stay private from anyone spying on Wi-Fi, but will not stay private from the company or, presumably, anyone with whom the company shares its access voluntarily, by compulsion of law (e.g., at the request of law enforcement), or involuntarily (e.g., a hacker who can infiltrate the company’s systems). With true E2E encryption, the encryption keys are generated by the client (customer) devices, and only the participants in the meeting have the ability to decrypt it.
Zoom’s website claimed that its service lets a host “[s]ecure a meeting with end-to-end encryption” and that “Zoom’s solution and security architecture provides end-to-end encryption and meeting access controls so data in transit cannot be intercepted,” according to the complaint. But Zoom is not entitled to its own definition of end-to-end encryption, the class-action lawsuit said. “The definition of end-to-end encryption is not up for interpretation in the industry,” the complaint said. “Zoom’s misrepresentations are a stark contrast to other videoconferencing services, such as Apple’s FaceTime, which have undertaken the more challenging task of implementing true E2E encryption for a multiple party call.”
Zoom’s failure to provide end-to-end encryption was reported by The Intercept in March 2020. Zoom’s response to that article “made it clear that Zoom both knew that it did not use the industry-accepted definition of E2E encryption and had made a conscious decision to use the term ‘end-to-end’ anyway,” the lawsuit said.
The Zoom application used to include a text box that was revealed by “hovering your cursor over the green lock at the top left corner” and said, “Zoom is using an end to end encrypted connection,” the complaint noted, adding that “Zoom has since changed this text to simply say that the session is encrypted.”
In April 2020, Zoom apologized “for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption… While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
In October 2020, Zoom announced availability of a “technical preview” of its first real end-to-end encryption offering. Zoom’s website says the offering is still in the technical preview stage “and disables several other features,” so Zoom recommends it “only for meetings where additional protection is needed.”
Giving out user data and allowing Zoombombings
Zoom users relied on the company’s promises that “Zoom does not sell users’ data” and that “Zoom takes privacy seriously and adequately protects users’ personal information,” the lawsuit said. Class members did not understand that “Zoom would collect and share [their] personal information with third parties, including Facebook and Google” and “allow third parties, like Facebook and Google, to access [their] personal information and combine it with content and information from other sources to create a unique identifier or profile of [each user] for advertising and behavior influencing purposes,” it continued.
Because Zoom implemented the Facebook SDK, user data was sent by Zoom to Facebook “regardless of whether the user has created a Zoom or Facebook account, and, even worse, before the user would have even encountered Zoom’s terms and conditions or any privacy disclosures,” the lawsuit said. Though Zoom has reportedly since “removed the Facebook SDK, Zoom continues to share similarly valuable user data with Google via Google’s Firebase Analytics SDK, also integrated into the Zoom app. Plaintiffs never granted permission for third parties to extract and use such data—indeed, they were not even aware of the data transmission.” Besides Facebook and Google, Zoom “sends personal data about their users to hotjar, Zendesk, AdRoll, Bing, and others.”
The lawsuit also said that Zoom blamed users for a rash of Zoombombings even though the problem was enabled by Zoom’s security shortcomings. Zoom could have limited meeting disruptions by unauthorized participants with “relatively simple technical solutions… for instance making it easier to allow hosts to cancel a meeting and/or eject a Zoombomber with the push of a single button, screen sharing control defaults, or implementing stronger meeting security (attendee admission) protocols such as identity verification or unique meeting passcodes,” the lawsuit said.
“As early as March 20, 2020, Zoom admitted its product had an issue with Zoombombing. Rather than change security protocols and default features, however, Zoom turned its back on its users, asserting they were to blame through their inability to properly use the program,” the complaint said.
Settlement requirements
The settlement “requires Zoom to not reintegrate the Facebook SDK for iOS into Zoom meetings for a year” and to ask Facebook to “delete any US user data obtained from the SDK.” The security and transparency changes Zoom agreed to also include the following:
- Develop and maintain, for at least three years, documented protocols and procedures for admitting third-party applications for dissemination to users through Zoom’s “Marketplace.”
- Develop and maintain a user-support ticket system for internal tracking of, and communication with users about reports of meeting disruptions.
- Develop and maintain a documented process for communication with law enforcement about meeting disruptions involving illegal content, including dedicated personnel to report serial meeting disrupters to law enforcement.
- Develop and maintain security features such as waiting rooms for attendees, the suspend meeting activities button, and blocking of users from specific countries for a minimum of three years.
Zoom would be required “to better educate users about the security features available to protect meeting security and privacy, through dedicated space on the Zoom website and banner-type notifications.” Zoom’s website will also have to include “centralized information and links for parents whose children are using school-provisioned K-12 accounts.”
After the settlement was announced, Zoom gave media outlets a statement that did not admit any wrongdoing. “The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us,” Zoom said. “We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront.”
https://arstechnica.com/?p=1784539