Zoom recently agreed to pay $85 million to settle claims that the company misrepresented its end-to-end encryption on video calls. According to the claim, the company shared user data with other entities, including Facebook and Google, without users’ consent. The settlement intends to resolve a class-action alleging Zoom violated privacy standards, leading to infamous “Zoombombings.”
History of the Claims Against Zoom
In the lawsuit, In re: Zoom Video Communications Privacy Litigation, plaintiffs originally made nine claims touching on three separate issues. The plaintiffs’ complaint included claims that Zoom shared personally identifiable information (PII) with third parties without plaintiffs’ permission. This allegedly made it possible for third parties to identify and track users’ behavior on various platforms.
The plaintiffs also alleged that Zoom misrepresented the platform’s security features. As such, users believed the service was more secure than it really was. Finally, plaintiffs claimed that Zoom failed to warn users about, or to prevent instances of, “Zoombombing.” This phenomenon involves people joining Zoom meetings without authorization for the purpose of causing disruption.
The court granted Zoom’s motion to dismiss all nine claims in part and denied it in part. It found that “Zoom’s failure to edit or block user-generated content is the very activity Congress sought to immunize” under Section 230 of the Communications Decency Act. The court also found the plaintiffs inadequately demonstrated their own PII was among the information Zoom shared with third parties.
However, the court allowed the claims sounding in breach of contract, breach of implied contract, and quasi-contract to proceed. Additionally, the court permitted the Zoombombing-related claims to proceed as long as they did not “challenge the harmfulness of content provided by another” or “derive from Zoom’s status as a publisher or speaker of that content.”
Terms of the Settlement in the Zoom Lawsuit
The proposed settlement seeks to resolve the lawsuit by offering a total of $85 million to settle the remaining claims. If the court approves the settlement, “class members who paid for an account will be eligible to receive 15% of the money they paid to Zoom for their core Zoom Meetings subscription [between March 30, 2016 and July 30, 2021] or $25, whichever is greater.” Those class members who did not have a paid account may submit a claim for $15.
The amounts may be adjusted. The amount depends on how many class members opt in, the size of fee and expense awards, and other factors. The proposed settlement also includes proposed amounts for attorneys’ fees. The settlement includes larger amounts for approximately a dozen named plaintiffs.
Zoom also agrees, under the proposed settlement, to “over a dozen major changes to its practices, designed to improve meeting security, bolster privacy disclosures, and safeguard consumer data.”
What to Expect Going Forward
Despite the disruption caused by this case, Zoom is unlikely to disappear from common use anytime soon. Between January 2020 and January 2021, Zoom’s annual revenue quadrupled. Zoom’s Q1 2021 reports indicated it may beat its previous records, as the pandemic pushes users toward video conferencing options.
Zoom is not the first company to face lawsuits regarding alleged security issues. Other companies faced allegations that they misrepresented security protocols in ways that engendered inappropriate faith in a platform’s security. Within the Zoom case, the complaint alleged Zoom attempted to redefine “end to end encryption” in a way that encompassed its own methods. In actuality, the term has a specific meaning in cybersecurity that does not include methods like those Zoom actually used.
In April 2020, Zoom issued an apology “for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of end-to-end encryption.” Zoom denied any intent to deceive users. However, the company acknowledged “that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
A settlement won’t bring the issue of end-to-end encryption before the court. Nevertheless, questions regarding what constitutes end-to-end encryption are likely to appear in future lawsuits regarding platform privacy. Questions in these lawsuits will likely continue particularly as the “platform economy” continues to proliferate. Experts in cybersecurity, platform architecture, and related fields may see their skills and expertise in demand as these cases continue.