On behalf on consumers in California working at home or otherwise using video conferences, a lawsuit was filed last week in the United States District Court, Central District of California, alleging security and privacy deficiencies against Zoom, the popular video communications company. Unless you have been living under a rock, those who require video conferencing needs are familiar with Zoom and its rapid expansion in offices and classrooms across the world dealing with coronavirus-related closure.
The plaintiffs cite several California statutes as part of the legal grounds for the lawsuit. They include deceptive practices, violation of the new California Consumer Privacy Act (CCPA), and false advertising. The class alleges as the foundation of their complaint that Zoom sold private data of the consumer to Facebook and the encryption security was falsely advertised.
As we continue to see, cybersecurity lawsuits use the allegation of negligence against the defendant company. The complaint states in part :
131. Plaintiff repeats and realleges the allegations set forth in the preceding paragraphs and incorporates the same as if set forth herein at length.
132. Defendant owed a duty to Plaintiff to exercise reasonable care in implementing and maintaining reliable security systems and practices to ensure the safety of Plaintiff and the user class members personal information and not disclosing this information to third parties, like Facebook, without informed consent.
133. Defendant breached its duties by, failing to implement and maintain reasonable security protections for users and by disclosing personal user information to third parties, like Facebook, without the consent of its users.
134. But for Defendant’s actions and breaches of its duties, Plaintiff and User Class member information would be secure, and third parties, like Facebook, would not have gained access to personal user information.
135. It was foreseeable that defendant’s conduct as alleged herein would harm Plaintiff and the User Class. Plaintiff knew or should have known that its inability to adequately protect user information, and sharing information with third parties, like Facebook, would cause harm to Plaintiff and the User Class.
Of particular interest to the cybersecurity professional is the argument that Zoom falsely advertised end to end encryption to the user when, in fact, that was not the case.
In fact, the lawsuit incorporated the above screenshot in its complaint as well as several others similar in nature.
The term ‘end-to-end encryption’ is a secure form of private online communication in which only the communicating users can read or send messages to each other…only the users have the “secret” private key to the lockbox. Not even the mail carrier has access to it. Zoom allegedly uses transport encryption which allows the company that owns the network to gain access to the information.
As you may have recently seen in the news, the FBI released a warning about security in video conferencing and urged users to check their privacy settings. The plaintiffs in the lawsuit address the issue in a separate count as follows:
40. Zoom has a vulnerability that allows hackers and other websites to forcibly join a user to a Zoom video meeting without their permission.
41. Zoom has a security patch that is designed to prevent hackers from gaining access to user webcams. This security patch contains an error that allows hackers to access user webcams without their knowledge or consent. To gain access, a hacker simply needs to embed a short coding sequence into their website, and any Zoom user’s video could instantly be compromised.
42. This vulnerability affects 13 of Zoom’s applications including: RingCentral, Telus Meetings, BT Cloud Phone Meetings, Office Suite HD Meeting, AT&T Video Meetings, BizConf, Huihui, UMeeting, Zhumu, Zoom CN, EarthLink Meeting Room, Video Conferencia Telmex, & Accession Meeting.
43. Zoom’s solution to this problem is to provide users the option to have their video settings turned off when they join a new meeting. However, Zoom cannot expect users to uniformly adapt to this setting, and millions of webcams are vulnerable to attack.
While the lawsuit is advocating strongly in the complaint the case against Zoom, and that must be kept in mind, it does raise some questions and issues that the consumer of any video conferencing platform should investigate themselves before using that product.