Updated: Aug 14, 2020
The video-conferencing specialist has yet to roll out full encryption, but it says it’s working on it.
Video-conferencing behemoth Zoom has been hit with yet another lawsuit stemming from its claim to offer end-to-end encryption for sessions.
The suit, filed in a Washington D.C. court [PDF] this week by a nonprofit advocacy group called Consumer Watchdog, alleges that the company falsely told users that it offers full encryption.
Zoom previously said that it offered end-to-end encryption, but that marketing claim came into question after a report from The Intercept said that Zoom’s platform actually uses transport layer security (TLS) encryption, providing only encryption between individual users and service providers instead of encrypting communication directly between the users of a system. That, in theory, would allow the service to access user data if it chose to and leave it open to potential eavesdropping by a determined third-party.
In contrast, end-to-end encryption occurs when traffic is encrypted at the source user’s device, stays encrypted while its routed through servers and then is decrypted only at the destination user’s device.
“Zoom repeated its end-to-end encryption claims throughout its website, in white papers—including in its April 2020 HIPAA Compliance Guide—and on the user interface within the app,” the suit alleges. Thus, the court documents claim that the company violated D.C.’s Consumer Protection Procedures Act (CPPA) and “lulled consumers and businesses into a false sense of security.”
The suit is asking for an injunction against Zoom to prevent it from misrepresenting its security measures to consumers; and statutory damages under the CCPA, which allows fines of up to $1,500 per violation. That could add up quickly, depending on the number of D.C-area consumers the court deems were impacted.
To that point, Zoom use has lived up to the company name. In its fiscal first-quarter earnings call (held in June), executives said that platform use surged 30-fold in April, as COVID-19 lockdowns forced most people to connect with others virtually. Zoom saw a peak of 300 million daily participants in the quarter, and paying customers have more than tripled. As a result, Zoom said it expects full-year revenue to total $1.8 billion for 2020 – which, as an indicator of growth, doubles the sales projections it offered in March.
“While Zoom admittedly used a misleading term and didn’t clarify the extent of their “end-to-end encryption” this lawsuit is not really applicable to those that could benefit from it,” said Mike Weber, vice president at Coalfire, told Threatpost. “Specifically, this lawsuit would only be able to seek damages in the amount of $1,500 per violation, and would only apply to non-business uses of Zoom. But who’s actually making a decision to use Zoom over other solutions due to their “end-to-end encryption” that isn’t doing it for business purposes? Being in security for over 20 years, I can assure you that an overwhelming majority of decisions made by end-users to use Zoom over competing products was surely based on the features and ease-of-use of the platform, and only an exceedingly few ultra-paranoid, extremist, security zealots like myself would have even considered the level of encryption in place.”
Meanwhile, the lawsuit also alleges that Zoom routed some conferences through servers in China, thus placing users at further risk to eavesdropping and privacy violations. The Zoom-China connection has been on the radar screen of the U.S. Senate, with Senators Richard Blumenthal (D-Conn.) and Josh Hawley (R-Mo.) recently asking the Department of Justice to look into it; under that scrutiny, Zoom said that it plans to cut off sales to China starting on August 23.
Other Legal Woes
The popular videoconferencing service also faces multiple other accusations, including an earlier class-action lawsuit filed by one of its shareholders in April in the U.S. District Court for the Northern District of California. It alleges that the company made “materially false and misleading statements” that overstated its privacy and security measures (including encryption levels), and it claims that Zoom didn’t adequately disclose its lack of end-to-end encryption. Additionally, the suit alleges that Zoom has put users “at an increased risk of having their personal information accessed by unauthorized parties, including Facebook.”
That’s a reference to the fact that Zoom earlier this year had to kill a feature in its iOS web conferencing app that was sharing analytics data with Facebook. A Motherboard report had disclosed that the transferred information included data on when a user opened the app, a user’s time zone, device OS, device model and carrier, screen size, processor cores and disk space.
Another class action complaint was filed against the company in March, the SEC filed a suit in April, and several attorneys general have raised concerns the company, according to legal-industry media. In all, Zoom has so far been sued at least 42 times this year, with allegations running the gamut from privacy violations to breach of contract to accusations of fraud. That compares with 32 lawsuits total according to DocketAlarm, since its founding in 2011 through 2019.
“The lawsuits filed against Zoom highlight to businesses that in today’s world it’s not just other businesses that are savvy but consumers too,” Brandon Hoffman, CISO at Netenrich, told Threatpost. “Meaning, if you are making claims about privacy and security, a hot topic in today’s world, ensure not only that you are adhering to the most commonly accepted application of the technology but that the technology is actually implemented as described. The industry and the public have a lot of heartburn with security and data protection, warranted or not. Therefore, if a claim is going to be made, it should be 100-percent vetted internally to make sure the way it communicated to the world is in fact reality.”
End-to-End Encryption Progress
Amid the legal hot water, the service is pursuing the rollout of end-to-end encryption, albeit slowly.
The platform began its rollout in May, starting with the acquisition of a small startup called Keybase; the company also released a design for its end-to-end encryption plans on GitHub, but said that specifics would be to come. It also said at the time that the feature would be opt-in on paid subscriptions only – drawing fire from various security experts. The company later reversed course in its latest published update on the topic, from June, and said that it would offer optional end-to-end encryption for everyone.
That update said that beta testing would start in July.
The company has issued a short, new statement to media this week: “We take privacy and security extremely seriously and are committed to continuous enhancements, including the timely beta testing and implementation of end-to-end encryption.”
Threatpost has reached out for more details on the timing and plans for implementation.
Because video-conferencing platforms have surged as a way to connect since the beginning of the coronavirus pandemic, for both businesses and consumers – they faced greater scrutiny when it comes to security flaws and privacy holes. An open letter published in July by data protection and privacy commissioners from Australia, Canada, Hong Kong, United Kingdom and Switzerland urged Zoom and others to address any issues in a timely fashion.
“During the current pandemic we have observed some worrying reports of security flaws in [videoconferencing] products purportedly leading to unauthorized access to accounts, shared files, and calls,” read the letter.