On April 27, 2020, our attorneys filed a class action lawsuit against Zoom alleging that Zoom failed to disclose security and privacy flaws. We allege that these failings have jeopardized Zoom-users’ privacy.
Zoom has rapidly grown in popularity due to the COVID-19 shelter-in-place orders across much of the country. Because of the very nature of Zoom meetings, users expect meetings to be private—they expect that their communications will only be heard and seen by other participants in the meeting. Zoom itself has long promised to protect the privacy and security of users’ meetings, as described in our lawsuit.
Our lawsuit alleges numerous security and privacy flaws and vulnerabilities, including:
- advertising end-to-end, 256-bit encryption, but failing to provide it;
- not disclosing a vulnerability in the waiting room feature that allowed users in the waiting room to view the meeting;
- vulnerabilities in Zoom apps for Mac and Cisco that could allow bad actors to access users’ cameras and video feeds;
- unauthorized disclosure of data to Facebook from the Zoom iOS app.
Read the class action lawsuit we filed here: Zoom Class Action Complaint
Is Zoom failing to protect your data?
If you’re a Zoom subscriber, you may have a claim. Get a free and confidential consultation.
Washington Post: Thousands of Zoom Videos Exposed Online
Per a report by the Washington Post, thousands of personal Zoom videos are publicly viewable on the open web. Videos viewed by the Washington Post included one-on-one therapy sessions, a training orientation for workers doing telehealth calls that included people’s names and phone numbers, small business meetings discussion private company financial statements, and elementary school classes, in which children’s faces, voices, and personal details were exposed. Some videos even involved nudity, such as one in which an aesthetician taught students how to perform a Brazilian wax.
According to the Washington Post, the Zoom recordings appear to be accessible because Zoom names every video recording in an identical way, allowing bad actors to search for and identify many videos that anyone can watch. The Post article explains that Zoom’s engineers may have bypassed common security features of other video chat programs, such as requiring people to use unique file names before saving clips.
Zoom Vulnerabilities May Have Allowed Hackers to Eavesdrop on Calls
A report by cybersecurity research company Check Point Research describes how it found significant security flaws in the Zoom platform that could allow potential hackers to join a video meeting uninvited. According to a report by The Verge, each Zoom call had a randomly generated ID number between 9 and 11 digits long that was used as an address to locate and join specific calls. Per the Check Point Research report, its researchers found a way to identify valid meetings a certain percentage of the time.
Krebs article: War Dialing Tool Exposes Zoom Meeting Problems
According to an article by KrebsOnSecurity, Zoom’s attempts to block automated programs designed to uncover Zoom meeting information can be evaded. A tool created by security professionals was reportedly able to identify meeting information for approximately 100 Zoom meetings every hour. Running the program in parallel multiple times could probably identify “most of the open Zoom meetings on any given day” according to the article. The information revealed included the link needed to join each meeting, the date and time of the meeting, the name of the meeting organizer, and any information supplied by the meeting organizer about the topic of the meeting.
Citizen Lab: Zoom’s Waiting Room Has Not Been Secure
Zoom waiting rooms are supposed to be “a virtual staging area that prevents people from joining a meeting until the host is ready.” Meeting hosts must “admit” all users to the meeting before they gain access to the video chat. But according to Citizen Lab, Zoom’s waiting room were vulnerable to a security flaw that could allow a user in the waiting room to view the video feed for the meeting, without ever being admitted to the meeting.
The Intercept: “Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing”
Prior to April 2020, Zoom advertised prominently that its meetings were secured with end-to-end encryption. In reality, according to a report by The Intercept, Zoom’s technology is not able to support end-to-end encryption for video and audio content, as the term is commonly understood in the industry.
According to the article, for a Zoom meeting to meet the common definition of end-to-end encryption, “the video and audio content would need to be encrypted in such a way that only the participants in the meeting have the ability to decrypt it.” In reality, Zoom itself has access to the keys required to decrypt the meeting.
On April 1, 2020, Zoom’s chief product officer Oded Gal admitted that the company had misrepresented the level of encryption in its product, saying “we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.” He also added that he recognized “there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
FBI warns against "Zoombombing"
As millions have turned to Zoom’s teleconferencing features while social distancing for coronavirus, the FBI has warned against “Zoombombing,” a phenomenon in which strangers hijack private conferences and send a flood of obscene or hateful images and messages. These attacks are allegedly coordinated on online forums and have targeted meetings for schools, workplaces, and community organizers.
According to a report by the New York Times, it found over a hundred Instagram accounts, dozens of Twitter accounts, and several active message boards on Reddit and 4Chan where thousands of people had gathered to organize Zoom harassment campaigns, including by sharing meeting passwords and plans to coordinate hijacking meetings.
In fact, a probe by Connecticut’s attorney general was prompted by the zoombombing of a teleconference forum about the Census.
Zoom increasingly banned in wake of government probes
According to the Wall Street Journal, at least 27 state attorneys general have raised questions about privacy issues in Zoom. On April 3, 2020, 19 members of the U.S. House sent Zoom a letter requesting detailed information on how Zoom protects consumer privacy.
And according to ZDNet business and governments, including Google, Tesla, SpaceX, the New York City Department of Education, and the Taiwanese, Australian, and German governments have all banned members from using Zoom.
Award Winning Privacy Lawyers
Founding partner Eric Gibbs was named a Cybersecurity & Privacy MVP and received the California Lawyer of the Year award for his work in the Anthem Data Breach case. He was also appointed lead counsel in the VIZIO smart TV case. Partner Andre Mura was named a Top Cybersecurity/Privacy Attorneys Under 40.
Our Privacy Lawyers
Gibbs Law Group is a California-based law firm committed to protecting the rights of clients nationwide who have been harmed by corporate misconduct. We represent individuals, whistleblowers, employees, and small businesses across the U.S. against the world’s largest corporations. Our award-winning lawyers have achieved landmark recoveries and over a billion dollars for our clients in high-stakes class action and individual cases involving consumer protection, data breach, digital privacy, and federal and California employment lawsuits. Our attorneys have received numerous honors for their work, including “Top Plaintiff Lawyers in California,” “Top Class Action Attorneys Under 40,” “Consumer Protection MVP,” “Best Lawyers in America,” and “Top Cybersecurity/ Privacy Attorneys Under 40.”
About Gibbs Law Group
Share this on: