Zoom has agreed to pay $85m to settle a class-action lawsuit that alleged the videoconferencing company made misleading claims about its encryption, “improperly” shared user data with third parties such as Facebook and failed to protect users from so-called “zoombombings”.
It is the culmination of a nine-month-long settlement negotiation after 14 class-action lawsuits filed against Zoom between March and May 2020 were consolidated into one case on 30 June 2020.
The preliminary settlement, filed on 31 July 2021 with the Northern District of California court, will not see Zoom admit to any wrongdoing.
If accepted, it means anyone in the US who “registered, used, opened or downloaded” Zoom between 30 March 2016 and 30 July 2021 can claim 15% of their subscription fee or $25, whichever is greater. Those who did not use the paid version of Zoom can claim $15.
There are exceptions: those who used Zoom through an enterprise or government account are not eligible.
The complaints mounted against Zoom after it soared in popularity during the pandemic, ballooning from 10 million daily meeting participants in December 2019 to 200 million in March 2020. As it became a vital communication tool in the workplace, academia and friendship groups during lockdowns, the additional scrutiny brought backlash from privacy and security advocates.
First, Zoom’s meeting URLs were too short, which meant it wasn’t difficult for trolls and pranksters to guess the numbers and join a random call. Combined with screensharing permitted by all participants and you get zoombombing, where a person hijacks the meeting with content of their choosing. Sometimes this took a dark turn, with meeting participants being shown grotesque content ranging from violent videos to pornography.
On 26 March, analysis by Motherboard found that the Zoom iOS app sent some analytics data to Facebook, such as IP address, device time zone and mobile carrier. The software development kit that allowed users to login to Zoom with Facebook meant that Zoom was sending this analytics data to the social media giant even if they did not have a Facebook account.
Then, on 31 March, a report by The Intercept revealed how Zoom’s marketing had been using its own, unconventional definition of end-to-end encryption – one that meant its encryption had “significant weaknesses”.
Zoom’s approach meant that while someone intercepting a person’s Wi-Fi would be unable to view the contents of a meeting, Zoom could – in theory – access video and audio content of Zoom meetings where a participant wasn’t using a Zoom client, such as dialling in with a phone. For its part, Zoom said at the time that it did not directly access or sell that data and it has since added full end-to-end encryption to its service.
In response to the quickfire barrage of privacy criticisms, Zoom quickly accepted that it had fallen short on security and apologised. It then set about rectifying the problems under a 90-day plan during which it paused new product updates to focus solely on security.
While this honest approach won some plaudits from cybersecurity professionals at the time, the class action lawsuit mean Zoom will still end up paying the price for its oversight.
In a statement, Zoom said: “The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront.”
Per the document, it’s expected that between 1% and 5% of paying subscribers and between 1% and 2% of non-paying users will claim from the $85m settlement pot.
The plaintiffs have also applied for Zoom to pay their legal fees, which would add an additional $21.25m onto Zoom’s bill.
Zoom may see the settlement as the cost of hypergrowth – the company brought in revenues of $2.65bn in 2020, compared to $622.7m in 2019.
Under the terms of the settlement Zoom will also be required to not reintegrate with Facebook’s software development kit for iOS for a year. Zoom will also request that Facebook “delete any US user data obtained from the SDK”.
Further, Zoom must also “develop and maintain a documented process” to share with law enforcement when meetings are disrupted with illegal content.
And finally, the company must also “better educate” users about its security features.
It is not the first time Zoom has settled accusations of privacy failures. In November 2020, the company settled with the Federal Trade Commission – on that occasion without paying a fine.