Zoom, a video conferencing software application that has experienced explosive growth due to the social distancing measures introduced globally during the COVID19 crisis, has had a class action lawsuit filed against it in the Northern District of California this week in relation to allegations that users’ information was illegally collected and share with third parties.
It is alleged that Zoom breached the California Consumer Privacy Act as it failed to create appropriate security procedures and alert account holders in relation to what private personal information the company was going to share and what entities it would be shared with. Specifically, the complaint deals with the information that was shared by Zoom with the Facebook social media platform without clear authorization from account holders.
The class action lawsuit refers to a report published by Vice which indicates that “the (Zoom) app notifies Facebook when the user opens the app, details on the user’s device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements.”
An additional claim was registered stating that Zoom is violating the California Consumers Legal Remedies Act and California Unfair Competition Law, as Zoom “represented it was preventing unauthorized access and disclosure of users’ personal information when in fact it does not.” Lastly, is was alleged that privacy was breached in violation of Art. 1, § 1 of the California Constitution by not providing account holders with clear and informed consent prior to sharing personal information with third parties.
What is Zoombombing?
Zoom has proven an extremely popular medium of communication for business and personal use since the introduction of social distancing around the globe. There has been a massive rise in traffic during recent weeks and the app has been downloaded more than 50 million times from the Google Play store alone. The value of the company has also exploded upwards, jumping from $16bn to $42bn.
This is a new attack technique where individuals gatecrash private Zoom meetings, which is due, in part, to users not implementing certain security settings and the method used by Zoom to generate the random numbers for Zoom meetings, which is prone to brute force guessing attempts. There have been many reported cases of Zoom bombing attacks where strangers join Zoom meetings/chat sessions and cause disorder, shout hate speech, and display pornographic and racist images.
It was also recently revealed that Zoom does not have end-to-end encryption, even though the company states the platform is protected by end-to-end encryption on its website.
Zoom bombing Attacks on the Rise
In the United States, the FBI issued a warning which said: “The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language.”
Zoom issued a statement on its corporate website addressing the concerns of account holders and and attempted to reassure people that it is implementing new security measures as it attempts to deal with unexpected and rapid growth and millions of new users.
The statement reads: “We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations.”
The blog post goes on to refer to some of the steps that Zoom has taken to address privacy and security shortfalls, including additional training, tackling Zoom bombing by showing users how to use security features to prevent it, stopping automatic information sharing with Facebook, and improving transparency