Zoom is being sued for breach of contract and privacy violations in a new class action by a Saint Paulus church group in San Francisco, which claims that its bible class was ‘Zoombombed’ by a “known offender” who shared deeply disturbing pornographic video footage.
The bible class was Zoombombed “twice within minutes” and, Saint Paulus claims, Zoom did nothing to help rectify the situation.
The class action claims damages for unlawful sharing of users’ personal information with third parties, including Facebook, without adequate notice to users and a failure to safeguard users’ confidential, sensitive, personal information.
Zoom has almost overnight become what we described in one recent piece of analysis “the darling of a quarantined world, with all the challenges that entails.”
The security flaws and criticisms that have emerged over the past weeks range from the fact that Zoom’s encryption is not end to end, as it initially claimed; to the fact that its default settings mean meetings have a generic ID that can easily be discovered and ‘Zoombombed’ by anyone ranging from bad actors to people uploading pornography; to the fact that it allegedly passed on data to third parties such as Facebook without notifying users (leading to a class action); to fears that Zoom’s corporate structure and the presence of hundreds of developers in China means that calls could be vulnerable to Chinese surveillance.
On 23 April Zoom released Zoom 5.0, which includes better encryption and new privacy controls as part of its 90-day plan to raise security standards. The new version allows hosts to report suspect users and introduces a waiting room, meaning that participants have to be let into the meeting. All meetings now need a password.
Zoom 5.0 will now use the AES 256-bit GCM encryption standard, which while still not end to end, is a significant improvement. Zoom is also giving account managers the ability to control which data regions it avoids.
It is too early to say whether Zoom 5.0 will reverse the damage to date but at the point of writing, many big US corporates have banned their employees from using Zoom. Reuters reports that that SpaceX staff members have been told to use email, text, or phone calls instead of Zoom. Reuters also reports that NASA, one of SpaceX’s biggest customers, has prohibited its employees from using Zoom, and BuzzFeed news reports that Google has banned Zoom from its employees’ devices. According to Bloomberg, Daimler AG, Ericsson AB, NXP Semiconductors NV and Bank of America Corp are among the wave of companies forbidding or warning employees against using Zoom. Law firms to ban Zoom include Mishcon de Reya.
A spokesperson for Zoom said: “Zoom has layered safeguards, robust cybersecurity protection, and internal controls in place to prevent unauthorized access to data, including by Zoom employees. All Zoom source code is stored and versioned in the United States. Zoom’s software developers in China are largely managed by our engineering team in the United States and they carry out their responsibilities in accordance with the design and architecture decisions made by Zoom’s U.S. Engineering group. These developers in China do not have any access to Zoom’s production environment, the power or access to make substantive changes to our platform or the means to access any meeting content. And, importantly, across all of Zoom engineering, regardless of location, our engineers only have access to the source code required for their particular function.”
You can read our in-depth analysis of the rise and security risks around Zoom here: https://www.legaltechnology.com/to-zoom-or-not-to-zoom-that-really-is-the-question/