By Joseph Marks with Tonya Riley, WASHINGTON POST
August 11, 2020
A consumer advocacy group is suing Zoom and seeking millions of dollars in damages, accusing the company of misleading its users about the strength of its encryption protections.
The nonprofit group Consumer Watchdog is also accusing the videoconferencing company of deceiving users about the extent of its links with China and the fact that some calls between people in North America were routed through servers in China. That raises the danger Beijing could steal or demand access to the contents of those calls, according to a copy of the lawsuit, which was shared exclusively with The Cybersecurity 202.
Those phony claims “lull[ed] consumers and businesses into a false sense of security” and helped Zoom to soar in popularity during the early months of the pandemic,according the lawsuit, which was filed late yesterday in Washington D.C. Superior Court.
Zoom CEO Eric Yuan attends the opening bell at Nasdaq as his company holds its IPO in New York. (AP Photo/Mark Lennihan, File)
The consumer group fears that if Zoom isn’t punished, other companies will be incentivized to make false claims about their security and privacy protections to attract users and stand out against competitors.
“It’s jaw dropping how blatantly Zoom was claiming something that wasn’t the case,” Jerry Flanagan, Consumer Watchdog’s litigation director, told me. “If a giant company like Zoom for years was claiming to have end-to-end encryption in place and they didn’t, one has to be very concerned that other companies are doing the same thing or that they’ll do so in the future if they don’t get called out on it.”
Zoom requested a copy of the lawsuit to review but did not respond to a request for comment on it. The company has previously acknowledged that it used misleading terminology to describe its encryption protections. It also acknowledged mistakenly routing calls through Chinese servers because of a surge of users during the early days of the pandemic.
Consumer Watchdog is suing under a D.C. consumer protection law that allows nonprofits to bring lawsuits on behalf of consumers.
In most states such cases would have to be filed by a state’s attorney general or by a group of consumers in a class action.
The group is seeking up to $1,500 for every instance in which a D.C. resident used Zoom for non-business purposes. That could be a huge amount given Zoom’s recent surge in popularity.
But it also comes as Zoom’s value is soaring. The company’s share price has risen to about $250 per share from around $115 before the pandemic.
The suit would cover instances where people used Zoom for social reasons or possibly for distance learning, said Ari Scharg, an attorney with Edelsen PC, which is representing Consumer Watchdog in the case. It would not apply to cases in which people used the service for business reasons.
The company’s misstatements are especially galling during the pandemic, when people are rushing to Zoom and other video tools as a way to keep in touch with friends and family while self-isolating, Scharg said.
“Zoom is such a prevalent company in a lot of households and schools and offices and it’s surprising and frustrating to a lot of users that the company wasn’t truthful with them,” he told me. “Right now, we all need an alternative way of keeping in touch and educating our children and it’s paramount that these online platforms be truthful with customers about how their privacy is being protected and who has access to those communications.”
Zoom claimed for years that it offered the most secure version of encryption, called end-to-end.
But the company acknowledged during a crush of security scandals during the early weeks of the pandemic that its teleconferences were actually protected with a less rigorous form of encryption called transport layer security or TLS.
The major difference: End-to-end encryption scrambles the contents of communication during a message or conversation’s full journey between the sender and the recipient, meaning it’s so strong the company itself can’t access them. TLS allows the company that’s hosting the communication to decrypt it in the middle. That raises the chances that hackers could spy on those communications, cybersecurity experts say.
End-to-end encryption has also sparked a high stakes battle between tech companies and the Justice Department because companies cannot turn over decrypted versions of customer messages in response to law enforcement warrants. Cybersecurity experts say that’s a necessary price to ensure the cybersecurity of lawful communications.
Zoom’s chief product officer Oded Gal said in an April 1 blog post the company “has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption.” He acknowledged, however, that “while we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
The company later released plans to use true end-to-end encryption — first just for paid users then, when that plan proved unpopular, for users of both the paid and free service.
The company has also pledged to limit its ties to China, which have come under intense scrutiny amid widespread concern about the threat of digital spying by the Chinese government. A report by Citizen Lab, a University of Toronto research group, found that despite being based in California Zoom owns three companies in China with about 700 employees that assist with its research and development.
Zoom’s moves didn’t quell anger from lawmakers and consumers who say it played fast and loose with security.
Sen. Richard Blumenthal, D-Conn., speaks during a Senate Judiciary Committee oversight hearing . (AP Photo/Carolyn Kaster, Pool)
Sens. Richard Blumenthal (D-Conn.) and Josh Hawley (R-Mo.) last month demanded a Justice Department investigation into Zoom’s Chinese government ties as well as those of the Chinese app TikTok.
In an email response to the lawsuit, Blumenthal told me “Zoom blatantly misled millions of consumers on the privacy and security of its app, claiming to offer end-to-end encryption when it did not” and that the company “still bears an unmet obligation to protect consumers and should be held accountable for its clear past violations of law and public trust.”