bluebay2014 - Fotolia
Four class-action lawsuits filed against Zoom this week accuse the online meetings provider of making misleading statements about the kind of video encryption it uses.
The suits allege Zoom overstated how securely it encrypts video communications. The company made the contested claims in marketing materials and filings with the U.S. Securities and Exchange Commission.
The legal actions also fault the company for numerous other security and privacy shortcomings that media reports have brought to light over the last couple of weeks.
Two lawsuits filed by investors allege the company misled shareholders in violation of federal securities law. The alleged violations included claims in regulatory filings that its service uses "end-to-end encryption."
Two lawsuits lodged by users of the video conferencing service claim Zoom deceived customers by using the same encryption term in marketing materials. The false claim violated various California state laws, the suits said.
End-to-end encryption generally refers to a method of securing online communications that keeps content encrypted at all points in its journey between endpoints. The technique gives users sole control over the keys used to unlock the data.
In contrast, Zoom, like most online meeting providers, has access to video encryption keys by default. Also, it decrypts video content to support third-party devices and provide premium services like transcription.
A report in The Intercept raised questions about Zoom's use of the term end-to-end encryption last week. Shortly after that, Zoom apologized for "incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption."
"While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it," Odel Gal, Zoom's chief product officer, wrote in a blog post.
Users value end-to-end encryption because it prevents software vendors from giving law enforcement agencies access to their data. It also safeguards against rogue employees snooping on communications.
Zoom is in the process of preparing a transparency report explaining how it has handled "requests for data, records or content" from government agencies. However, the company said it has never built a way to decrypt meetings in real time for "intercept purposes."
Zoom's legal troubles expand
Zoom is also taking heat from some members of Congress over its claims to be end-to-end encrypted. U.S. Sens. Sherrod Brown (D-OH) and Richard Blumenthal (D-CT) have asked the Federal Trade Commission (FTC) to investigate the company's privacy and security practices.
An FTC spokeswoman declined to comment on Zoom specifically but said the commission shared concerns about ensuring the privacy and security of video conferencing platforms. "The FTC will use its enforcement, education, and policymaking authority to promote privacy and security in this space," she said in a statement.
Zoom was already facing two other class-action lawsuits before this week. Those suits, filed on March 30 and March 31, accuse Zoom of failing to disclose to customers that the Zoom iOS app shared information about their devices with Facebook. Zoom released an update that stops the data-sharing.
The complaints lodged this week also raise the Facebook issue and other allegedly deficient security practices of Zoom. The company declined to comment on pending litigation.
All six suits are awaiting judicial approval to proceed as class actions, which would let a large group of people benefit from any settlement. Four seek to help users, while two would generate a payout for current and former shareholders.
Zoom faces heightened scrutiny amid pandemic
Zoom skyrocketed in popularity virtually overnight as the coronavirus pandemic forced people worldwide to work and socialize remotely. The company went from 10 million daily meeting participants in December to 200 million in March.
The spike in users prompted new scrutiny of Zoom's security and privacy practices, including by multiple state attorneys general. Some users have already abandoned Zoom over the issue.
Nathan Dautenhahn, an assistant professor of computer science at Rice University, stopped hosting Zoom meetings after the company came under fire last summer for insecurely installing a web server on Mac devices.
"It does reduce my trust in the company that they are willing to make decisions that prioritize ease of use and exchange security," Dautenhahn said. He now uses Google Hangouts Meet.
But other users are standing by the company. Tim Crawford, a former chief information officer and founder of the consulting firm AVOA, said he was confident Zoom would fix its problems.
"I don't think it's black and white, that you either are secure or you're not," Crawford said. "It's how you react to problems that really matters."
Zoom responds to security concerns
Zoom has placed new features on hold for 90 days to devote engineering resources to beefing up security and privacy. The company also recently formed a new advisory council comprised of security executives from major corporate brands.
One of Zoom's highest priorities was to change its default settings to prevent "Zoombombing," a term for when uninvited guests join and disrupt meetings. Sessions are now password-protected by default and require the use of a "waiting room," which lets hosts decide whom to allow into a meeting.
On Wednesday, Zoom added a "security" icon to the toolbar of its video interface. The button is a shortcut that lets hosts change meeting settings. For example, the host could use the tool to remove participants or prevent them from sharing their screens.
Zoom is also working on improving encryption. In a webinar on Wednesday, Zoom CEO Eric Yuan said the company planned to upgrade to a more secure encryption protocol. He also said it would develop ways to give users control over encryption keys.