Zoom Class Action Lawsuit

Per a report by the Washington Post, thousands of personal Zoom videos are publicly viewable on the open web. Videos viewed by the Washington Post included one-on-one therapy sessions, a training orientation for workers doing telehealth calls that included people’s names and phone numbers, small business meetings discussion private company financial statements, and elementary school classes, in which children’s faces, voices, and personal details were exposed. Some videos even involved nudity, such as one in which an aesthetician taught students how to perform a Brazilian wax.

According to the Washington Post, the Zoom recordings appear to be accessible because Zoom names every video recording in an identical way, allowing bad actors to search for and identify many videos that anyone can watch. The Post article explains that Zoom’s engineers may have bypassed common security features of other video chat programs, such as requiring people to use unique file names before saving clips.

A report by cybersecurity research company Check Point Research describes how it found significant security flaws in the Zoom platform that could allow potential hackers to join a video meeting uninvited. According to a report by The Verge, each Zoom call had a randomly generated ID number between 9 and 11 digits long that was used as an address to locate and join specific calls. Per the Check Point Research report, its researchers found a way to identify valid meetings a certain percentage of the time.

According to an article by KrebsOnSecurity, Zoom’s attempts to block automated programs designed to uncover Zoom meeting information can be evaded. A tool created by security professionals was reportedly able to identify meeting information for approximately 100 Zoom meetings every hour. Running the program in parallel multiple times could probably identify “most of the open Zoom meetings on any given day” according to the article. The information revealed included the link needed to join each meeting, the date and time of the meeting, the name of the meeting organizer, and any information supplied by the meeting organizer about the topic of the meeting.

Zoom waiting rooms are supposed to be “a virtual staging area that prevents people from joining a meeting until the host is ready.” Meeting hosts must “admit” all users to the meeting before they gain access to the video chat. But according to Citizen Lab, Zoom’s waiting room were vulnerable to a security flaw that could allow a user in the waiting room to view the video feed for the meeting, without ever being admitted to the meeting.

Prior to April 2020, Zoom advertised prominently that its meetings were secured with end-to-end encryption. In reality, according to a report by The Intercept, Zoom’s technology is not able to support end-to-end encryption for video and audio content, as the term is commonly understood in the industry.

According to the article, for a Zoom meeting to meet the common definition of end-to-end encryption, “the video and audio content would need to be encrypted in such a way that only the participants in the meeting have the ability to decrypt it.” In reality, Zoom itself has access to the keys required to decrypt the meeting.

On April 1, 2020, Zoom’s chief product officer Oded Gal admitted that the company had misrepresented the level of encryption in its product, saying “we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.” He also added that he recognized “there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”

As millions have turned to Zoom’s teleconferencing features while social distancing for coronavirus, the FBI has warned against “Zoombombing,” a phenomenon in which strangers hijack private conferences and send a flood of obscene or hateful images and messages. These attacks are allegedly coordinated on online forums and have targeted meetings for schools, workplaces, and community organizers.

According to a report by the New York Times, it found over a hundred Instagram accounts, dozens of Twitter accounts, and several active message boards on Reddit and 4Chan where thousands of people had gathered to organize Zoom harassment campaigns, including by sharing meeting passwords and plans to coordinate hijacking meetings.

In fact, a probe by Connecticut’s attorney general was prompted by the zoombombing of a teleconference forum about the Census.

According to the Wall Street Journal, at least 27 state attorneys general have raised questions about privacy issues in Zoom. On April 3, 2020, 19 members of the U.S. House sent Zoom a letter requesting detailed information on how Zoom protects consumer privacy.

And according to ZDNet business and governments, including Google, Tesla, SpaceX, the New York City Department of Education, and the Taiwanese, Australian, and German governments have all banned members from using Zoom.

Gibbs Law Group is a leader in emerging litigation involving consumer privacy and data security. Our data breach and privacy team has achieved groundbreaking reforms and recovered hundreds of millions of dollars for plaintiffs in cutting-edge, high-profile cases, including lawsuits against Equifax, Anthem, Adobe, VIZIO, Lenovo, and Banner Health. Our attorneys helped negotiate record-breaking settlements, including the $1.5 billion Equifax Data Breach settlement and the $115 million Anthem Data Breach settlement. We secured a $17 million settlement in the VIZIO smart TV class action lawsuit that forced VIZIO to delete all of the data it wrongfully collected. We continue pursuing cutting edge privacy issues in our litigation, including a case against facial-recognition company Clearview AI.

Eric Gibbs co-founded the American Association for Justice’s Data Breach and Privacy Litigation Group and has been recognized with numerous accolades for his privacy work, including a California Lawyer Attorney of the Year (CLAY) award for the Anthem Data Breach Lawsuit settlement, and has been named a “Top Plaintiff Lawyer in California” by the Daily Journal and a “Cybersecurity and Privacy MVP” and “Consumer Protection MVP” by Law360. In addition, Gibbs Law Group partners Andre Mura and David Berger have been recognized for their data breach and privacy expertise. Andre Mura was honored as one of the Top Cybersecurity/ Privacy Attorneys Under 40 by Law360 and David Berger is the current chair of the American Association for Justice’s Data Breach and Privacy Litigation Group, contributes to a data privacy think tank, and consults with state and federal legislators on data breach and privacy issues.