On June 30, 2020, the Court selected our firm for a leadership role in representing consumers in this class action. Our case—filed on April 27, 2020—is one of about a dozen proposed class actions filed against Zoom, all alleging that Zoom failed to disclose various security and privacy flaws. The Court consolidated all of the cases and then invited the lawyers to apply to represent the proposed class of Zoom users. In its Order appointing lead counsel, the Court recognized Gibbs Law Group’s “experience as lead counsel in In re Adobe Systems, Inc. Privacy Litigation, and other significant data privacy cases.” We will now work with the other firms on the Plaintiffs’ Steering Committee to file a consolidated complaint and move the litigation forward on behalf of consumers.
Our original complaint alleged numerous security and privacy flaws and vulnerabilities, including:
- advertising end-to-end, 256-bit encryption, but failing to provide it;
- not disclosing a vulnerability in the waiting room feature that allowed users in the waiting room to view the meeting;
- vulnerabilities in Zoom apps for Mac and Cisco that could allow bad actors to access users’ cameras and video feeds;
- unauthorized disclosure of data to Facebook from the Zoom iOS app.
Read the class action lawsuit we filed here: Zoom Class Action Complaint
Washington Post: Thousands of Zoom Videos Exposed Online
Per a report by the Washington Post, thousands of personal Zoom videos are publicly viewable on the open web. Videos viewed by the Washington Post included one-on-one therapy sessions, a training orientation for workers doing telehealth calls that included people’s names and phone numbers, small business meetings discussion private company financial statements, and elementary school classes, in which children’s faces, voices, and personal details were exposed. Some videos even involved nudity, such as one in which an aesthetician taught students how to perform a Brazilian wax.
According to the Washington Post, the Zoom recordings appear to be accessible because Zoom names every video recording in an identical way, allowing bad actors to search for and identify many videos that anyone can watch. The Post article explains that Zoom’s engineers may have bypassed common security features of other video chat programs, such as requiring people to use unique file names before saving clips.
Zoom Vulnerabilities May Have Allowed Hackers to Eavesdrop on Calls
A report by cybersecurity research company Check Point Research describes how it found significant security flaws in the Zoom platform that could allow potential hackers to join a video meeting uninvited. According to a report by The Verge, each Zoom call had a randomly generated ID number between 9 and 11 digits long that was used as an address to locate and join specific calls. Per the Check Point Research report, its researchers found a way to identify valid meetings a certain percentage of the time.
Krebs article: War Dialing Tool Exposes Zoom Meeting Problems
According to an article by KrebsOnSecurity, Zoom’s attempts to block automated programs designed to uncover Zoom meeting information can be evaded. A tool created by security professionals was reportedly able to identify meeting information for approximately 100 Zoom meetings every hour. Running the program in parallel multiple times could probably identify “most of the open Zoom meetings on any given day” according to the article. The information revealed included the link needed to join each meeting, the date and time of the meeting, the name of the meeting organizer, and any information supplied by the meeting organizer about the topic of the meeting.
Citizen Lab: Zoom’s Waiting Room Has Not Been Secure
Zoom waiting rooms are supposed to be “a virtual staging area that prevents people from joining a meeting until the host is ready.” Meeting hosts must “admit” all users to the meeting before they gain access to the video chat. But according to Citizen Lab, Zoom’s waiting room were vulnerable to a security flaw that could allow a user in the waiting room to view the video feed for the meeting, without ever being admitted to the meeting.
The Intercept: “Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing”
Prior to April 2020, Zoom advertised prominently that its meetings were secured with end-to-end encryption. In reality, according to a report by The Intercept, Zoom’s technology is not able to support end-to-end encryption for video and audio content, as the term is commonly understood in the industry.
According to the article, for a Zoom meeting to meet the common definition of end-to-end encryption, “the video and audio content would need to be encrypted in such a way that only the participants in the meeting have the ability to decrypt it.” In reality, Zoom itself has access to the keys required to decrypt the meeting.
On April 1, 2020, Zoom’s chief product officer Oded Gal admitted that the company had misrepresented the level of encryption in its product, saying “we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.” He also added that he recognized “there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
FBI warns against "Zoombombing"
As millions have turned to Zoom’s teleconferencing features while social distancing for coronavirus, the FBI has warned against “Zoombombing,” a phenomenon in which strangers hijack private conferences and send a flood of obscene or hateful images and messages. These attacks are allegedly coordinated on online forums and have targeted meetings for schools, workplaces, and community organizers.
According to a report by the New York Times, it found over a hundred Instagram accounts, dozens of Twitter accounts, and several active message boards on Reddit and 4Chan where thousands of people had gathered to organize Zoom harassment campaigns, including by sharing meeting passwords and plans to coordinate hijacking meetings.
In fact, a probe by Connecticut’s attorney general was prompted by the zoombombing of a teleconference forum about the Census.
Zoom increasingly banned in wake of government probes
According to the Wall Street Journal, at least 27 state attorneys general have raised questions about privacy issues in Zoom. On April 3, 2020, 19 members of the U.S. House sent Zoom a letter requesting detailed information on how Zoom protects consumer privacy.
And according to ZDNet business and governments, including Google, Tesla, SpaceX, the New York City Department of Education, and the Taiwanese, Australian, and German governments have all banned members from using Zoom.
Our Firm's Winning Data Breach and Privacy Expertise
Gibbs Law Group is a leader in emerging litigation involving consumer privacy and data security. Our data breach and privacy team has achieved groundbreaking reforms and recovered hundreds of millions of dollars for plaintiffs in cutting-edge, high-profile cases, including lawsuits against Equifax, Anthem, Adobe, VIZIO, Lenovo, and Banner Health. Our attorneys helped negotiate record-breaking settlements, including the $1.5 billion Equifax Data Breach settlement and the $115 million Anthem Data Breach settlement. We secured a $17 million settlement in the VIZIO smart TV class action lawsuit that forced VIZIO to delete all of the data it wrongfully collected. We continue pursuing cutting edge privacy issues in our litigation, including a case against facial-recognition company Clearview AI.
Eric Gibbs co-founded the American Association for Justice’s Data Breach and Privacy Litigation Group and has been recognized with numerous accolades for his privacy work, including a California Lawyer Attorney of the Year (CLAY) award for the Anthem Data Breach Lawsuit settlement, and has been named a “Top Plaintiff Lawyer in California” by the Daily Journal and a “Cybersecurity and Privacy MVP” and “Consumer Protection MVP” by Law360. In addition, Gibbs Law Group partners Andre Mura and David Berger have been recognized for their data breach and privacy expertise. Andre Mura was honored as one of the Top Cybersecurity/ Privacy Attorneys Under 40 by Law360 and David Berger is the current chair of the American Association for Justice’s Data Breach and Privacy Litigation Group, contributes to a data privacy think tank, and consults with state and federal legislators on data breach and privacy issues.