Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 1 of 70 Page ID #:1
`
`
`
`David B. Owens, State Bar No. 275030
`david@loevy.com
`Mike Kanovitz, pro hac vice application forthcoming
`mike@loevy.com
`Scott R. Drury, pro hac vice application forthcoming
`drury@loevy.com
`LOEVY & LOEVY
`311 N. Aberdeen, 3rd Floor
`Chicago, Illinois 60607
`(312) 243-5900 (phone)
`(312) 243-5902 (fax)
`
`Attorneys for Plaintiff
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`UNITED STATES DISTRICT COURT
`CENTRAL DISTRICT OF CALIFORNIA
`TODD HURVITZ, individually, and
`
`on behalf of all others similarly
`
`situated,
`Civil Action No. 2:20-cv-3400
`
`
`COMPLAINT FOR DAMAGES
`
`AND EQUITABLE RELIEF
`
`
`
`CLASS ACTION
`
`
`ZOOM VIDEO
`DEMAND FOR JURY TRIAL
`COMMUNICATIONS, INC.,
`FACEBOOK and LINKEDIN
`
`CORPORATION,
`
`
`
`
`
`Plaintiff,
`
`
`
`v.
`
`
`
`
`
`
`
`Defendants.
`
`
`
`
`
`
`
`
`- 1 -
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 2 of 70 Page ID #:2
`
`
`
`Plaintiff Todd Hurvitz, by his attorneys, brings this class action complaint against
`
`Defendants Zoom Video Communications, Inc. (“Zoom”), Facebook and LinkedIn
`
`Corporation (“LinkedIn”) (collectively, “Defendants”), on behalf of himself and all
`
`others similarly situated, and alleges, upon personal knowledge as to his own actions
`
`and his counsel’s investigations, and upon information and belief as to all other matters,
`
`as follows:
`
`INTRODUCTION
`
`1.
`
`Defendant Zoom promotes itself as the “leader in modern enterprise video
`
`communications” that “helps businesses and organizations bring their teams together in
`
`a frictionless environment to get more done.”
`
`2.
`
`Zoom also contends that it cares for its users and seeks to deliver
`
`happiness. Not so. It recently has been revealed that: (a) Defendants Facebook and
`
`LinkedIn eavesdropped on, and otherwise read, attempted to read and learned the
`
`contents and meaning of, the communications between Zoom users’ devices and
`
`Defendant Zoom’s server; (b) Zoom and LinkedIn disclosed Zoom users’ identities to
`
`third parties even when those users actively took steps to keep their identities
`
`anonymous while using the Zoom platform; and (c) Zoom falsely represented the
`
`safeguards in place to keep users’ video communications private.
`
`3.
`
`Indeed, the exploitation of Zoom users began simultaneously with the
`
`installation of Zoom’s software application (the “Zoom App”), especially if they used
`
`
`
`
`
`
`
`
`- 2 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 3 of 70 Page ID #:3
`
`
`
`the iOS operating system – the system to run to Apple products. At that time, and each
`
`time thereafter that a Zoom user opened or closed the Zoom App, Defendant Facebook
`
`eavesdropped on, and otherwise read, attempted to read and learned the contents and
`
`meaning of, communications between Zoom users’ devices and Defendant Zoom’s
`
`server without the users’ knowledge or consent.
`
`4.
`
`Facebook engaged in that unlawful conduct in order to gather users’
`
`personal information and amass increasingly detailed profiles on Zoom users, which
`
`profiles Zoom and Facebook then used for their respective financial benefit.
`
`5.
`
`Similarly, Defendant LinkedIn eavesdropped on, and otherwise read,
`
`attempted to read and learned the contents and meaning of, communications between
`
`Zoom users’ devices and Defendant Zoom’s server, in order to harvest users’ personal
`
`information. Further, Zoom and LinkedIn surreptitiously provided certain Zoom users
`
`with the personal information of other users even when the victim users proactively
`
`took steps to hide their identities.
`
`6.
`
`Additionally, Defendant Zoom has misrepresented the nature of the
`
`security used to protect Zoom users’ video communications. It has also concealed,
`
`suppressed and omitted from disclosure various flaws in its products until they are
`
`publicly disclosed by third parties, knowing that the disclosures could harm its business.
`
`7.
`
`Plaintiff brings this action for monetary, declaratory and injunctive relief
`
`in order to: (a) require Defendants to provide compensation for their unlawful, unfair
`
`
`
`
`
`
`
`
`- 3 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 4 of 70 Page ID #:4
`
`
`
`and deceptive conduct; (b) require Defendants to disgorge their ill-gotten gains; and (c)
`
`prevent and preclude Defendants from engaging in similar conduct in the future.
`
`PARTIES
`
`8.
`
`Plaintiff Todd Hurvitz is a California resident, residing in the Central
`
`District of California.
`
`9.
`
`Defendant Zoom
`
`is a Delaware corporation, with
`
`its corporate
`
`headquarters in San Jose, California. As of January 31, 2020, Zoom reported quarterly
`
`revenue of $188 million and fiscal year revenue of $623 million. As of December 2019,
`
`the maximum number of Zoom meeting participants on a given day totaled 10 million.
`
`As of late March 2020, the number had grown to 200 million participants.
`
`10. Defendant Facebook is a Delaware corporation, with its corporate
`
`headquarters in Menlo Park, California.
`
` Facebook’s 2019 revenue totaled
`
`approximately $71 billion. Moreover, as of December 2019, Facebook averaged 2.50
`
`billion monthly active users. According to a recent filing with the United States
`
`Security and Exchange Commission: (a) Facebook is a social network that generates
`
`substantially all of its revenue from selling advertising placements to marketers; (b)
`
`Facebook ads allow marketers to reach people based on various factors including age,
`
`gender, behaviors, location and interests; and (c) Facebook’s advertising revenue
`
`depends on “targeting and measurement tools that incorporates data signals from user
`
`activity on websites.”
`
`
`
`
`
`
`
`
`- 4 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 5 of 70 Page ID #:5
`
`
`
`11. Defendant LinkedIn is a Delaware subsidiary of Microsoft Corporation
`
`(“Microsoft”), with its corporate headquarters in Sunnyvale, California. According to
`
`Microsoft’s 2019 Annual Report, LinkedIn is the “world’s largest professional network
`
`on the Internet” with revenue totaling $5.3 billion. Among the products offered by
`
`LinkedIn at relevant times was LinkedIn Sales Navigator (“Navigator”), a sales tool
`
`that provided automated targeting of prospective customers. The minimum annual fee
`
`for access to Navigator was $780.
`
`JURISDICTION AND VENUE
`
`12. This Court has jurisdiction pursuant to 28 U.S.C. § 1332(d)(2) (the “Class
`
`Action Fairness Act”) because sufficient diversity of citizenship exists between the
`
`parties in this action, the aggregate amount in controversy exceeds $5,000,000,
`
`exclusive of interests and costs, and there are 100 or more members of the Class.
`
`13. This Court has personal jurisdiction over Defendants because they are
`
`headquartered in California, marketed and sold their products to California consumers
`
`and businesses and exposed California residents to ongoing privacy risks created by
`
`their conduct.
`
`14. Venue is proper under 28 U.S.C. § 1391(b)(2) because a substantial part
`
`of the acts or omissions giving rise to the claims alleged herein occurred in the Central
`
`District of California. Alternatively, venue is proper under 28 U.S.C. § 1391(b)(3)
`
`because this Court has personal jurisdiction over Defendants.
`
`
`
`
`
`
`
`
`- 5 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 6 of 70 Page ID #:6
`
`
`
`FACTUAL ALLEGATIONS
`
`Zoom’s Business and Business Risk Factors
`
`15. According to Defendant Zoom’s March 2019 Form S-1 Registration
`
`Statement (the “S-1”)1:
`
`a.
`
`“Video has increasingly become the way that individuals want to
`
`communicate in the workplace and their daily lives,” and
`
`online/cloud video communications represents a $43.1 billion
`
`opportunity in 2022;
`
`b.
`
`Zoom was a “video-first communications platform that delivers
`
`happiness and fundamentally changes how people interact by
`
`connecting them through frictionless video, voice, chat and content
`
`sharing”;
`
`c.
`
`Zoom’s cornerstone product was Zoom Meetings, which provided
`
`“HD video, voice, chat and content sharing across mobile devices,
`
`d.
`
`e.
`
`desktops, laptops, telephones and conference room systems”;
`
`Zoom’s business was subject to numerous risk factors;
`
`Zoom recognized that a decline in new users and hosts or in
`
`renewals of upgrades from free service to paid subscriptions would
`
`
`1 Zoom Video Communications, Inc. SEC Form S-1 Registration Statement (Mar. 22, 2019),
`https://investors.zoom.us/static-files/fd2d31e8-3320-42ed-9f38-439936418332 (last accessed on Apr. 9, 2020).
`
`
`
`- 6 -
`CLASS ACTION COMPLAINT
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 7 of 70 Page ID #:7
`
`
`
`hurt Defendant Zoom’s business: “Any decrease in user satisfaction
`
`with our products or support would harm our brand, word-of-mouth
`
`referrals and ability to grow”;
`
`16. At relevant times, it was critical to Defendant Zoom’s business plan that it
`
`limit bad or negative news regarding its data security and confidentiality practices.
`
`17. According to Defendant Zoom:
`
`Any failure or perceived failure by us to comply with our
`privacy-, data protection- or
`information security-related
`obligations to users or other third parties or any of our other legal
`obligations relating to privacy, data protection or information
`security may
`result
`in governmental
`investigations or
`enforcement actions, litigation, claims or public statements
`against us by consumer advocacy groups or others, and could
`result in significant liability or cause our users to lose trust in us,
`which could have an adverse effect on our reputation and
`business.2
`
`
`18. Similarly, recognizing its past inability to keep its users’ data secure,
`
`Defendant Zoom has acknowledged that “[c]oncerns regarding privacy, data protection
`
`and information security may cause some of our users and hosts to stop using our
`
`solutions and fail to renew their subscriptions. This discontinuance in use or failure to
`
`renew could substantially harm our business.”3
`
`19. Defendant Zoom has further conceded that “failures to meet customers’
`
`and hosts’ expectations with respect to security and confidentiality of their data and
`
`2 Id.
`3 Id.
`
`
`
`
`
`
`
`
`
`- 7 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 8 of 70 Page ID #:8
`
`
`
`information could damage our reputation and affect our ability to retain customers and
`
`hosts, attract new customers and hosts and grow our business.”4
`
`Defendant Zoom’s Misrepresentations Regarding Data Privacy and Security
`
`20. Defendant Zoom has consistently represented that it did not allow third
`
`parties access to any personal data Zoom collected in the course of providing services
`
`to customers. In fact, as alleged in more detail below, Zoom allowed third parties to
`
`access such data.
`
`21. Further, at relevant times, Defendant Zoom represented that it took
`
`security seriously and protected users’ data by allowing all shared content to be
`
`encrypted using Advanced Encryption Standard (“AES”)-256 encryption.
`
`22. AES is a standard for encrypting data.
`
`23. Contrary to Defendant Zoom’s representations, Zoom did not protect
`
`users’ data using either AES-256. Rather, Zoom used weaker data protection methods
`
`that exposed users to security hazards.
`
`Defendants’ History of Lax Security and Data Privacy Practices
`
`Defendant Zoom
`
`24. Defendant Zoom has a long history of lax security practices and deceptive
`
`data privacy practices.
`
`
`
`4 Id.
`
`
`
`
`
`
`
`- 8 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 9 of 70 Page ID #:9
`
`
`
`25.
`
`Indeed, in its S-1, Defendant Zoom conceded that “security incidents have
`
`occurred in the past and may occur in the future . . . .”5
`
`26.
`
`In numerous instances, Defendant Zoom has claimed to not have become
`
`aware of its failure to properly secure users’ personal information or its failure to adhere
`
`to its own privacy practices until it received notification from third parties.
`
`27.
`
`In July 2018, it was revealed that a flaw in Zoom Meetings “could result
`
`in potential exposure of a Zoom user’s password.”6
`
`28. On October 11, 2018, a cybersecurity company notified Defendant Zoom
`
`of a software defect that “allows attackers to hijack control of presenters’ desktops,
`
`spoof chat messages, and kick attendees out of Zoom calls.”7
`
`29. Defendant Zoom did not publicly release a fix to the October 2018
`
`vulnerability until late November 2018.
`
`30.
`
`In March 2019, a software engineer notified Defendant Zoom of a security
`
`defect that exposed millions of users to an attack whereby a hacker could access their
`
`computers’ cameras and microphones and initiate a video-enabled call on a Mac
`
`without user consent. Further research revealed that if a user tried to remedy the defect
`
`
`
`5 Id.
`6 Id.
`7 Id.; see also Zoom Message Spoofing, Tenable (Oct. 2018), https://www.tenable.com/security/research/tra-
`2018-40 (last accessed on Apr. 9, 2020).
`
`
`
`
`
`
`- 9 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 10 of 70 Page ID #:10
`
`
`
`by uninstalling the Zoom App on his device, Zoom would surreptitiously reinstall it –
`
`thereby, again, leaving the user exposed to the security vulnerability.
`
`31. The engineer who discovered the March 2019 defect rated its severity as
`
`8.5 out of 10.8
`
`32. Rather than immediately remedying the defect, Defendant Zoom released
`
`a fix for an unrelated defect.
`
`33. Defendant Zoom waited almost four months before releasing a fix for the
`
`major defect and did so only after a complaint was filed with the Federal Trade
`
`Commission (the “FTC”) by a privacy advocacy organization.
`
`
`
`Defendant Facebook
`
`34. Defendant Facebook has a long history of lax security practices and
`
`deceptive data privacy practices, as exemplified by the allegations below:
`
`35.
`
`In 2011, a researcher disclosed that Defendant Facebook covertly tracked
`
`the websites Facebook users visited when users were logged out of Facebook.
`
`Facebook began engaging in the conduct in April 2010 and did not cease doing so until
`
`the Wall Street Journal published the researcher’s findings in September 2011.
`
`36.
`
`In 2012, the FTC charged Defendant Facebook with eight separate
`
`privacy-related violations, including that Facebook made misrepresentations regarding
`
`users’ ability to control the privacy of their personal data. In response, Facebook agreed
`
`8 Id.
`
`
`
`
`
`
`
`
`
`- 10 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 11 of 70 Page ID #:11
`
`
`
`to change its privacy practices. However, Facebook breached its agreement with the
`
`FTC, resulting in the FTC imposing a record-setting $5 billion penalty against Facebook
`
`in 2019.
`
`37.
`
`In 2015, Defendant Facebook was sued for violating the Illinois Biometric
`
`Information Privacy Act, 740 ILCS § 14/1, et seq., as a result of a facial recognition
`
`feature that tagged people’s photos. In January 2020, Facebook settled the matter for
`
`$550 million.
`
`38.
`
`In 2018, hackers exploited a vulnerability in Defendant Facebook’s code
`
`and stole personal information of approximately 29 million Facebook users. Facebook
`
`has agreed to settle a consolidated class action arising out of the data breach. As part
`
`of the settlement, Facebook has agreed to implement improved security practices.
`
`Defendant LinkedIn
`
`39. Defendant LinkedIn also has long a history of lax security practices and
`
`deceptive data privacy practices.
`
`40.
`
`In 2010, Defendant LinkedIn experienced a data breach in which a hacker
`
`obtained the passwords of approximately 6.5 million users. According to reports,
`
`LinkedIn failed to store the passwords in a secure manner. LinkedIn settled the matter
`
`for $1.25 million.
`
`41. Between September 2011 and October 31, 2014, Defendant LinkedIn
`
`imported contacts from users’ external email contacts and then repeatedly emailed those
`
`
`
`
`
`
`
`
`- 11 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 12 of 70 Page ID #:12
`
`
`
`contacts without obtaining consent to use the users’ names and likenesses. LinkedIn
`
`settled the matter for $13 million.
`
`42.
`
`In November 2018, Ireland’s Data Protection Commissioner found that
`
`Defendant LinkedIn obtained the email addresses of 18 million non-members and then
`
`targeted those non-members with Facebook advertisements without their consent.
`
`LinkedIn subsequently agreed to cease engaging in the conduct.
`
`The Unlawful Collection and Distribution of Users’ Personal Information
`
`
`
`
`Defendants Zoom and LinkedIn
`
`43. To enhance the “Zoom experience,” Defendant Zoom offered users the
`
`ability to integrate third-party software applications (“app” or “apps”) into the Zoom
`
`platform.
`
`44. One such app was Navigator. According to Defendant Zoom’s App
`
`Marketplace: (a) “[w]ith Zoom’s LinkedIn Sales Navigator integration, you’ll build
`
`connections and instantly gain insights about your meeting participants”; and (b) with
`
`LinkedIn Sales Navigator enabled, a person using the app “will be able to view
`
`LinkedIn details of . . . meeting participants . . . .”
`
`45. According to Defendant LinkedIn’s website, a salesperson using
`
`Navigator could “[t]arget the right buyers, understand key insights, and engage with
`
`personalized outreach.”
`
`
`
`
`
`
`
`
`- 12 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 13 of 70 Page ID #:13
`
`
`
`46. At relevant times, a person hosting a Zoom video meeting while utilizing
`
`the Navigator app was able to view LinkedIn details of meeting participants, even when
`
`those participants sought to keep their personal details anonymous.
`
`47. Defendant LinkedIn gained the ability to provide a meeting host with
`
`meeting participants’ LinkedIn details by willfully and intentionally using a recording
`
`device to record and eavesdrop on, and by otherwise reading, attempting to read and
`
`learning the contents and meaning of, communications between the participants’
`
`computers and Defendant Zoom’s server while the same were in transit and passing
`
`over any wire, line or cable and were being sent from and received within the State of
`
`California. LinkedIn engaged in this conduct in an unauthorized manner and without
`
`the meeting participants’ knowledge or consent. The meeting participants had a
`
`reasonable expectation of privacy in the communications and reasonably believed the
`
`communications were confidential.
`
`48. The personal information LinkedIn learned from the above-described
`
`eavesdropping activities included participants’ persistent identifiers and other details
`
`that allowed LinkedIn to identify the participants by name and LinkedIn profile, even
`
`when the participants sought to keep their identities anonymous.
`
`49. On information and belief, Defendant LinkedIn was able to collect Zoom
`
`users’ personal information even if the meeting host was not using Navigator, thereby
`
`
`
`
`
`
`
`
`- 13 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 14 of 70 Page ID #:14
`
`
`
`allowing LinkedIn to learn the contents of all sign-in communications of all Zoom
`
`users.
`
`50. Defendant Zoom has admitted that Navigator allowed for unnecessary data
`
`disclosure to Defendant LinkedIn.
`
`51. While Zoom had various privacy policies in effect at various times, the
`
`unnecessary data disclosure violated each of those policies.
`
`52. None of Defendant Zoom’s privacy policies disclosed that Defendant
`
`LinkedIn was able to obtain users’ personal information in the manner alleged above.
`
`53. Similarly, at no time did Defendant LinkedIn disclose to Zoom users that
`
`it collected their personal information from Defendant Zoom.
`
`54. On information and belief, Defendants Zoom and LinkedIn unjustly
`
`enriched themselves through Zoom’s disclosure of Zoom users’ personal information
`
`to LinkedIn by, among other ways, increasing sales of Navigator and increasing the
`
`number of total Zoom users and the number of Zoom users who paid for Zoom’s
`
`services.
`
`
`
`Defendants Zoom and Facebook
`
`55. At relevant times, Defendant Zoom allowed users of Apple’s iOS
`
`operating system to access Zoom’s platform via a “Login with Facebook” feature (the
`
`“iOS Login Feature”). The iOS Login Feature utilized a Facebook software
`
`development kit (“SDK”) to function.
`
`
`
`
`
`
`
`
`- 14 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 15 of 70 Page ID #:15
`
`
`
`56. Via the iOS Login Feature, Defendant Facebook could, among other things
`
`surreptitiously collect personal information about Zoom users – even users who did not
`
`have a Facebook account and did not use the iOS Login Feature.
`
`57. Defendant Facebook collected the personal information by willfully and
`
`intentionally using a recording device to record and eavesdrop on, and by otherwise
`
`reading, attempting to read and learning the contents and meaning of, communications
`
`between the participants’ computers and Defendant Zoom’s server while the same were
`
`in transit and passing over any wire, line or cable and were being sent from and received
`
`within the State of California. Facebook engaged in this conduct in an unauthorized
`
`manner and without the meeting participants’ knowledge or consent. The meeting
`
`participants had a reasonable expectation of privacy in the communications and
`
`reasonably believed the communications were confidential.
`
`58. Defendant Facebook’s collection of Zoom users’ personal information
`
`allowed Facebook to amass increasingly detailed profiles on users for use in its targeted
`
`advertising business. Those profiles helped Defendant Zoom profit by being able to
`
`more accurately target users for additional services and to convert them to paying
`
`
`
`customers.
`
`
`
`
`
`
`
`
`
`
`- 15 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 16 of 70 Page ID #:16
`
`
`
`59. The personal information Defendant Facebook learned about users
`
`included their:
`
`a.
`
`b.
`
`c.
`
`d.
`
`e.
`
`f.
`
`g.
`
`h.
`
`i.
`
`j.
`
`k.
`
`l.
`
`iOS Advertiser ID;
`
`iOS Timezone;
`
`IP Address;
`
`iOS Language;
`
`iOS Disk Space Available;
`
`iOS Disk Space Remaining;
`
`iOS Device Model;
`
`iOS Version;
`
`Device Carrier;
`
`iOS Device CPU Cores;
`
`Application Bundle Identifier;
`
`Application Instance ID; and
`
`m. Application Version.
`
`60. A Zoom user’s iOS Advertiser ID is known as a persistent identifier and
`
`is particularly sensitive because it is specifically assigned to the user and could be
`
`tracked over time, across platforms and linked to the user. In isolation, a persistent
`
`identifier is merely a string of numbers used to identify an individual. However, when
`
`linked to other data points about the same user – such as the data points described above
`
`
`
`
`
`
`
`
`- 16 -
`CLASS ACTION COMPLAINT
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 17 of 70 Page ID #:17
`
`
`
`– a persistent identifier reveals a personal profile that data collectors like Defendant
`
`Facebook can exploit.
`
`61. The FTC has described the way in which a company like Defendant
`
`Facebook can use a persistent identifier in conjunction with other data points to amass
`
`a valuable profile on an individual:
`
`[In a recent survey], one ad network received information from
`31 different apps. Two of these apps transmitted geolocation to
`the ad network along with a device identifier [a type of persistent
`identifier], and the other 29 apps transmitted other data (such as
`app name, device configuration details, and the time and duration
`of use) in connection with a device ID. The ad network could
`thus link the geolocation information obtained through the two
`apps to all the other data collected through the other 29 apps
`by matching the unique, persistent device ID.9
`
`62. Defendant Facebook’s surreptitious collection of the personal information
`
`described above allowed it to amass increasingly detailed profiles on Zoom users
`
`showing how, when and why they used Zoom, along with other inferences that could
`
`be drawn therefrom.
`
`63.
`
`Indeed, by obtaining a Zoom user’s iOS Advertiser ID, along with the
`
`other information described above, Defendant Facebook was able to identify the
`
`specific user and amass the data collected from Defendant Zoom with other data
`
`
`9 Federal Trade Commission, Mobile Apps for Kids: Disclosures Still Not Making the Grade, at 10, n.25 (Dec.
`2012), https://www.ftc.gov/sites/default/files/documents/reports/mobile-apps-kids-disclosures-still-not-
`making-grade/121210mobilekidsappreport.pdf (last accessed on Apr. 11, 2020) (emphasis added).
`
`
`
`- 17 -
`CLASS ACTION COMPLAINT
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 18 of 70 Page ID #:18
`
`
`
`previously collected by Facebook, giving Facebook multiple ways to identify the user
`
`even if he took steps to keep his identity anonymous.
`
`64. Moreover, the combination of the iOS Advertiser ID and the other data
`
`described above better allowed Defendant Facebook to deanonymize a user’s data and
`
`reidentify the user. This is significant because many companies contend that they only
`
`share, sell or use personal information in an aggregate and/or anonymized format. By
`
`obtaining the iOS Advertiser ID, along with the other personal information described
`
`above, Defendant Facebook could render the concept of anonymized data a nullity.10
`
`65. Defendant Zoom has admitted that the data collection conducted via the
`
`Login with Facebook feature was unnecessary to the provision of Defendant Zoom’s
`
`services to users.
`
`66. While Zoom had various privacy policies in effect at various times, the
`
`unnecessary data disclosure violated each of those policies.
`
`67. None of Defendant Zoom’s privacy policies disclosed that Defendant
`
`Facebook was able to obtain users’ personal information in the manner alleged above.
`
`68. Similarly, at no time did Defendant Facebook disclose to Zoom users that
`
`it collected their personal information from Defendant Zoom.
`
`
`10 Luc Rocher, et al., Estimating the Success of Re-Identification in Incomplete Datasets Using Generative
`Models, Nature Communications (July 23, 2019), https://www.nature.com/articles/s41467-019-10933-3 (last
`accessed on Apr. 11, 2020) (discussing reidentification of anonymized data).
`
`
`
`- 18 -
`CLASS ACTION COMPLAINT
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 19 of 70 Page ID #:19
`
`
`
`69. On information and belief, Defendants Zoom and Facebook unjustly
`
`enriched themselves through Zoom’s disclosure of Zoom users’ personal information
`
`to Facebook by, among other ways: (a) allowing them to amass more detailed profiles
`
`on users; (b) allowing Facebook to increase its advertising business by marketing its
`
`ability to target advertisements based on its detailed personal profiles; and (c) allowing
`
`Zoom to more specifically target advertisements for its paid services and, thereby,
`
`generate revenues.
`
`Defendant Zoom’s Misrepresentations Regarding Its Security Practices
`
`70. As alleged above, Defendant Zoom represented that it allowed all shared
`
`content to be encrypted using AES-256 encryption.
`
`71.
`
`In fact, Defendant Zoom utilized AES-128 encryption, an inferior form of
`
`encryption than AES-256.
`
`72. Moreover, Defendant Zoom utilized its AES-128 encryption in ECB
`
`mode, which is not recommended by security experts because patterns visible in
`
`plaintext are preserved during encryption.11 As a result, a viewer of the patterns can see
`
`and decipher the outlines of the encrypted information, as depicted in the images below:
`
`
`11 Bill Marczak, et al., Move Fast and Roll Your Own Crytpo, A Quick Look at the Confidentiality of Zoom
`Meetings, The Citizen Lab (Apr. 3, 2020), https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-
`quick-look-at-the-confidentiality-of-zoom-meetings/ (accessed on Apr. 11, 2020).
`
`
`
`- 19 -
`CLASS ACTION COMPLAINT
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Attorneys at Law
`LOEVY & LOEVY
`
`

`

`Case 2:20-cv-03400 Document 1 Filed 04/13/20 Page 20 of 70 Page ID #:20
`
`
`
`
` Original Image Encrypted using ECB Mode12
`
`
`The Market for Data
`
`73. Several online companies allow individuals to sell their own data online.
`
`74. One such company estimates that an individual can earn up $2,000 per
`
`year selling his data.
`
`75. By unlawfully collecting, distributing and using Zoom users’ data,
`
`Defendants diminished the value of the data and unjustly enriched themselves.
`
`Allegations Related to Plaintiff
`
`76. At relevant times, the Zoom App was instal