Zoom falsely claimed to offer 'end-to-end encryption' to consumers, lawsuit says
By Stephanie Pagones, FOX BUSINESS
August 11, 2020
A Washington, D.C.-based watchdog group is the latest to sue Zoom Video Communications over allegedly false privacy protection claims, saying the company misled and deceived users, such as those in the health care industry, who expected that the technology's encryption would protect their personal information, according to a lawsuit announced Tuesday.
Consumer Watchdog filed the civil suit on behalf of the D.C. public in the Superior Court of the District of Columbia late Monday, alleging Zoom made false representations about the level of security it offered, presenting its technology as being equipped with “end-to-end encryption" as a way to "distinguish itself from competitors and attract new customers,” the 18-page complaint states.“The consequences of Zoom’s false promises of end-to-end encryption are far-reaching and incredibly concerning,” said Consumer Watchdog staff attorney Benjamin Powell, in a Tuesday press release. “Clients in the medical field, for example, were assured by Zoom that its platform was secure enough to transmit confidential medical information between physician and client. That just isn’t the case.”
The nonprofit consumer advocacy group estimated that there are “tens of thousands of Zoom users in Washington, D.C.” It is seeking damages through the District of Columbia Consumer Protection Procedures Act, which provides for $1,500 in statutory damages per violation, according to the release.
End-to-end encryption prevents anyone except for a sender and the intended recipient from accessing the “communicated data,” such as messages or other forms of communication, according to court papers.
“In certain industry sectors, this level of data security is not just desired, but also necessary to protect vulnerable populations and comply with regulatory privacy laws,” the lawsuit further states. “For example, the healthcare industry takes particular care in selecting communication platforms that are secure enough to comply with the Health Insurance Portability and Accountability Act,” or HIPAA.
Court papers include screenshots of Zoom’s messages touting its security, including one that states: “Enables HIPAA, [Personal Information Protection and Electronic Documents Act] & [Personal Health Information Protection Act] Compliance.”
“Zoom’s solution and security architecture provides end-to-end encryption and meeting access controls so data in transit cannot be intercepted,” screenshotted message further states.
But the company’s claims about its use of end-to-end encryption are “false,” according to court papers.
“Zoom only used the phrase ‘end-to-end encryption’ as a marketing device to lull consumers and businesses into a false sense of security,” the complaint states. “The reality is that Zoom is, and has always been, capable of intercepting and accessing any and all of the data that users transmit on its platform—the very opposite of end-to-end encryption. Nonetheless, Zoom relied on its end-to-end encryption claim to attract customers and to build itself into a publicly traded company with a valuation of more than $70 billion.”
In a statement provided to FOX Business, a spokesperson for Zoom said the company takes “privacy and security extremely seriously.”
It adds: “[We] are committed to continuous enhancements, including the timely beta testing and implementation of end-to-end encryption.”