The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Zoom Hit With Lawsuit Over Encryption Claims

by Chris Brook on Wednesday August 12, 2020

Contact Us
Free Demo
Chat

A consumer advocacy group filed a lawsuit against the web conferencing software company alleging it misrepresented the level of security it uses to protect communications.

Zoom's rocky 2020 continues.

The web conferencing software is dealing with its latest blow this week, a lawsuit filed on Tuesday that alleges the company misrepresented the level of security to protect the conversations of users on its service.

Nonprofit group Consumer Watchdog, which filed the suit (.PDF) in in a D.C. area court under the district's Consumer Protection Procedures Act (CPPA) says the service "lulled consumers and businesses into a false sense of security."

The CPPA, D.C.’s general consumer protection law, prohibits a spectrum of deceptive business practices.

While the software has existed since 2013, it wasn't until the early days of the ongoing coronavirus (COVID-19) pandemic that it became a household word.

Early on it seemed as if Zoom was protecting users' communications with the most robust form of encryption, end-to-end; the company used the phrase in company white papers, something which no doubt attracted customers. When pressed, the service balked at those claims, acknowledging that it really supports transport encryption, meaning its video meetings, using a combination of TLS and UDP, were encrypted with AES, an encryption specification.

The company was forced to issue a blog in early April to apologize and clear up confusion around the issue.

"While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it," Zoom's Chief Product Officer Oded Gal said at the time.

Under increased scrutiny, Zoom eventually caved and said it would be rolling out end-to-end encryption, but only for paid users. When those plans were met with even more criticism, the company reversed course and acknowledged it would provide E2E encryption for both paid users and non-paying users, as long as non-paying supply an extra piece of information about themselves, like a phone message, for verification purposes.

This week’s lawsuit alleges the company misled users by claiming it had end-to-end encryption in the first place. The lawsuit also alleges that by continuing to not implement end-to-end encryption the company has put its server, some which routed some data and conversations through servers in China, at an increased risk. The company admitted that it mistakenly allowed calls to go through China.

That issue - the company's connection to China - has rankled Senators this summer, too. Senators Richard Blumenthal (D-Conn.) and Josh Hawley (R-Mo.) asked the Department of Justice to look into the app's ties to China in June. In an attempt to curb those ties, Zoom recently announced that it would stop direct sales to customers in China by August 23 earlier this month.

In response to this week’s lawsuit, Zoom said it was still working on fine tuning E2E encryption on the service.

“We take privacy and security extremely seriously and are committed to continuous enhancements, including the timely beta testing and implementation of end-to-end encryption,” a spokesman told publications on Tuesday.

The suit is the latest of a flurry of lawsuits against the company. Other suits have been filed against Zoom citing violations of the California Consumer Privacy Act, issues stemming from so-called "zoombombings" - in which disruptive visitors hijack Zoom meetings with stolen meeting IDs. Another suit alleges that Zoom made it easier for social media companies like LinkedIn and Facebook to mine users' data.

It remains to be seen what will become of the suit but in addition to an order from the court prohibiting Zoom from misrepresenting the level of security it offers, it is also seeking financial damages.

Washington D.C.'s CCPA allows statutory damages in the amount of $1,500 per violation. While those instances would only apply to non-business uses of Zoom, it could still amount to a hefty fee, especially given the app's widespread usage of late.

Tags: Encryption

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.