Zoom Faces More Legal Challenges Over End-to-End Encryption

Updated: Aug 14, 2020

The video-conferencing specialist has yet to roll out full encryption, but it says it’s working on it.

Video-conferencing behemoth Zoom has been hit with yet another lawsuit stemming from its claim to offer end-to-end encryption for sessions.

The suit, filed in a Washington D.C. court [PDF] this week by a nonprofit advocacy group called Consumer Watchdog, alleges that the company falsely told users that it offers full encryption.

Zoom previously said that it offered end-to-end encryption, but that marketing claim came into question after a report from The Intercept said that Zoom’s platform actually uses transport layer security (TLS) encryption, providing only encryption between individual users and service providers instead of encrypting communication directly between the users of a system. That, in theory, would allow the service to access user data if it chose to and leave it open to potential eavesdropping by a determined third-party.

In contrast, end-to-end encryption occurs when traffic is encrypted at the source user’s device, stays encrypted while its routed through servers and then is decrypted only at the destination user’s device.

“Zoom repeated its end-to-end encryption claims throughout its website, in white papers—including in its April 2020 HIPAA Compliance Guide—and on the user interface within the app,” the suit alleges. Thus, the court documents claim that the company violated D.C.’s Consumer Protection Procedures Act (CPPA) and “lulled consumers and businesses into a false sense of security.”

The suit is asking for an injunction against Zoom to prevent it from misrepresenting its security measures to consumers; and statutory damages under the CCPA, which allows fines of up to $1,500 per violation. That could add up quickly, depending on the number of D.C-area consumers the court deems were impacted.

To that point, Zoom use has lived up to the company name. In its fiscal first-quarter earnings call (held in June), executives said that platform use surged 30-fold in April, as COVID-19 lockdowns forced most people to connect with others virtually. Zoom saw a peak of 300 million daily participants in the quarter, and paying customers have more than tripled. As a result, Zoom said it expects full-year revenue to total $1.8 billion for 2020 – which, as an indicator of growth, doubles the sales projections it offered in March.

“While Zoom admittedly used a misleading term and didn’t clarify the extent of their “end-to-end encryption” this lawsuit is not really applicable to those that could benefit from it,” said Mike Weber, vice president at Coalfire, told Threatpost. “Specifically, this lawsuit would only be able to seek damages in the amount of $1,500 per violation, and would only apply to non-business uses of Zoom. But who’s actually making a decision to use Zoom over other solutions due to their “end-to-end encryption” that isn’t doing it for business purposes? Being in security for over 20 years, I can assure you that an overwhelming majority of decisions made by end-users to use Zoom over competing products was surely based on the features and ease-of-use of the platform, and only an exceedingly few ultra-paranoid, extremist, security zealots like myself would have even considered the level of encryption in place.”

Meanwhile, the lawsuit also alleges that Zoom routed some conferences through servers in China, thus placing users at further risk to eavesdropping and privacy violations. The Zoom-China connection has been on the radar screen of the U.S. Senate, with Senators Richard Blumenthal (D-Conn.) and Josh Hawley (R-Mo.) recently asking the Department of Justice to look into it; under that scrutiny, Zoom said that it plans to cut off sales to China starting on August 23.

Other Legal Woes

The popular videoconferencing service also faces multiple other accusations, including an earlier class-action lawsuit filed by one of its shareholders in April in the U.S. District Court for the Northern District of California. It alleges that the company made “materially false and m