Zoom – $85M for lying about encryption

Zoom to pay $85M for lying about encryption and sending data to Facebook and Google

Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without the consent of users. The settlement between Zoom and the filers of a class-action lawsuit also covers security problems that led to rampant “Zoombombings.”

The proposed settlement would generally give Zoom users $15 or $25 each and was filed Saturday at US District Court for the Northern District of California. It came nine months after Zoom agreed to security improvements and a “prohibition on privacy and security misrepresentations” in a settlement with the Federal Trade Commission, but the FTC settlement didn’t include compensation for users.

Giving out user data and allowing Zoombombings

Zoom users relied on the company’s promises that “Zoom does not sell users’ data” and that “Zoom takes privacy seriously and adequately protects users’ personal information,” the lawsuit said. Class members did not understand that “Zoom would collect and share [their] personal information with third parties, including Facebook and Google” and “allow third parties, like Facebook and Google, to access [their] personal information and combine it with content and information from other sources to create a unique identifier or profile of [each user] for advertising and behavior influencing purposes,” it continued.

Because Zoom implemented the Facebook SDK, user data was sent by Zoom to Facebook “regardless of whether the user has created a Zoom or Facebook account, and, even worse, before the user would have even encountered Zoom’s terms and conditions or any privacy disclosures,” the lawsuit said. Though Zoom has reportedly since “removed the Facebook SDK, Zoom continues to share similarly valuable user data with Google via Google’s Firebase Analytics SDK, also integrated into the Zoom app. Plaintiffs never granted permission for third parties to extract and use such data—indeed, they were not even aware of the data transmission.” Besides Facebook and Google, Zoom “sends personal data about their users to hotjar, Zendesk, AdRoll, Bing, and others.”

The lawsuit also said that Zoom blamed users for a rash of Zoombombings even though the problem was enabled by Zoom’s security shortcomings. Zoom could have limited meeting disruptions by unauthorized participants with “relatively simple technical solutions… for instance making it easier to allow hosts to cancel a meeting and/or eject a Zoombomber with the push of a single button, screen sharing control defaults, or implementing stronger meeting security (attendee admission) protocols such as identity verification or unique meeting passcodes,” the lawsuit said.

“As early as March 20, 2020, Zoom admitted its product had an issue with Zoombombing. Rather than change security protocols and default features, however, Zoom turned its back on its users, asserting they were to blame through their inability to properly use the program,” the complaint said.

How users can apply for a chunk of $85 million

Those who can apply for a payment include, with some exceptions, people in the U.S. who registered, used, opened, or downloaded the Zoom app between March 30, 2016 and July 30, 2021.

Zoom users will apply for awards through a website called www.ZoomMeetingsClassAction.com, which Molumphy said will go live about a week after the judge’s preliminary approval of the deal. A hearing on approval is scheduled for Oct. 21.