Zoom has quickly become a household name as modern life has turned to virtual arrangements. But the company’s rapid rise has also uncovered major security flaws within the software itself. Zoom now faces at least four class action lawsuits filed on behalf of California users citing violations of the California Consumer Privacy Act (CCPA). The company also faces a shareholder class action alleging it misrepresented the product’s security issues.
Failure to Disclose Data Sharing
In late March, it was discovered that Zoom was sharing user data with Facebook through its iOS app, even if the user did not have a Facebook account. While sharing user analytics across platforms is not uncommon, Zoom failed to disclose this practice in its privacy policy. Upon this revelation, Zoom quickly removed this data-sharing feature, but legal action soon followed.
Violations of Consumer Privacy Rights
The first legal response to Zoom’s questionable data practices was from New York’s Attorney General Letitia James. James sent a letter to Zoom on March 30, 2020, inquiring how the company was increasing its security efforts amidst growing traffic and reliance from various key industries.
Later that day on the opposite coast, the first case against Zoom was filed in the Northern District Court of California. The official complaint on behalf of a Sacramento user alleges Zoom violated the California Consumer Privacy Act, which officially went into effect on January 1, 2020. The complaint cites CCPA language which protects individuals’ data from, “unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.”
Just a day later, a second class action lawsuit was filed in the Northern District Court of California citing similar data-sharing complaints. The suit further outlines the misleading nature of Zoom’s marketing materials, which claim, “end-to-end encryption for all meetings” while the company was routinely sharing personally identifiable information (PII) with unauthorized third parties, such as Facebook.
“Zoombombings” & Webcam Vulnerability
A third class action lawsuit was filed against Zoom on April 3, 2020 in the Central District Court of California. The suit echoes the PII-sharing complaints of the two previous filings but also outlines the hacking vulnerabilities within the platform.
Zoom has become a target for hackers who have circulated unprotected meeting IDs and account information in order to coordinate “zoombombings.” The term “zoombombing” has been coined to describe uninvited guests joining Zoom meetings with stolen meeting IDs. These disruptive—and often offensive, crude, or hate-filled—meeting interjections have targeted government, educational, and cultural groups using the Zoom platform. The suit also explains possible webcam vulnerabilities that allows hackers to access a user’s camera. Zoom attempted to patch this issue by introducing a setting allowing a user’s webcam to be turned off automatically when joining a new meeting. However, the suit states, “Zoom cannot expect users to uniformly adapt to this setting, and millions of webcams are vulnerable to attack.”
Inflated Prices and False Advertising
The fourth class action filing came on behalf of a Zoom shareholder. The complaint alleges the plaintiff acquired Zoom securities at “artificially inflated prices” due to Zoom’s sudden explosion of popularity amidst the public health crisis. The complaint further outlines the “materially false” and misleading nature of Zoom’s security documentation provided to shareholders. As the falsehoods of Zoom’s encryption status were revealed, stock prices suffered and “[damaged] investors.”
The fifth, and most recent, class action suit filed on April 13, 2020, is on behalf of another California user and names Facebook and LinkedIn alongside Zoom as defendants. The complaint outlines an additional security vulnerability within the platform that allowed the mining of users’ LinkedIn data without their knowledge, in addition to undocumented PII-sharing with Facebook. This, the suit states, was used by the defendants to, “amass increasingly detailed profiles on Zoom users,” for advertising and financial gain.
MDLs Moving Forward
As these class action lawsuits pick up steam in pre-trial preparations, a number of expert witnesses will be indispensable for supporting case theory. Here are the expert disciplines we anticipate to be called upon:
Software Engineering Expert: a software engineer will be a critical expert for establishing an understanding of the technical flaws within the Zoom product. A software engineer can explain the security holes on the backend of the platform and where vulnerabilities existed for hackers and other unauthorized data-sharing.
Computer Security Expert: a computer security expert can offer specialized knowledge into the best practices for companies in diagnosing vulnerabilities in their software products. This expert can also speak to where Zoom failed in repairing security practices.
Technology Executive: a technology company executive can provide expertise on internal processes for tech organizations handling data breaches or other security issues. An executive from a Zoom competitor would be especially valuable for establishing where Zoom lapsed in their backend maintenance and promised protections for their users.
Data Encryption Expert: a data encryption expert should be retained to speak to Zoom’s marketing claims of “end-to-end encryption for all meetings” versus the data encryption the company actually employed. It will be important for the expert to be an effective teacher while explaining the immensely technical processes of data security and developing ciphertext.
CCPA Compliance Expert: a CCPA compliance expert will be important to establish whether Zoom’s security issues violated the California Consumer Privacy Act. Each lawsuit claims CCPA infringement and this expert will be valuable for expert interpretation of a relatively new law.
