Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 1 of 75
`
`Tina Wolfson (SBN 174806)
`twolfson@ahdootwolfson.com
`Theodore Maya (SBN 223242)
`tmaya@ahdootwolfson.com
`Bradley K. King (SBN 274399)
`bking@ahdootwolfson.com
`Christopher E. Stiner (SBN 276033)
`cstiner@ahdootwolfson.com
`Rachel Johnson (SBN 331351)
`rjohnson@ahdootwolfson.com
`AHDOOT & WOLFSON, PC
`10728 Lindbrook Drive
`
`Los Angeles, CA 90024
`Tel: (310) 474-9111
`Fax: (310) 474-8585
`
`Mark C. Molumphy (SBN 168009)
`mmolumphy@cpmlegal.com
`Joseph W. Cotchett (SBN 36324)
`jcotchett@cpmlegal.com
`Tyson Redenbarger (SBN 294424)
`tredenbarger@cpmlegal.com
`Noorjahan Rahman (SBN 330572)
`nrahman@cpmlegal.com
`Julia Peng (SBN 318396)
`jpeng@cpmlegal.com
`COTCHETT, PITRE & McCARTHY LLP
`840 Malcolm Road, Suite 200
`Burlingame, CA 94010
`Telephone: 650.697.6000
`Facsimile:
`650.697.0577
`
`Interim Co-Lead Class Counsel
`Additional Counsel on Signature Page
`
`
`IN RE: ZOOM VIDEO
`COMMUNICATIONS, INC. PRIVACY
`LITIGATION
`
`
`This Document Relates To: All Actions
`
`
`
`
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN JOSE DIVISION
`
`
`Case No. 5:20-CV-02155-LHK
`
`
`
`FIRST AMENDED
`CONSOLIDATED CLASS
`ACTION COMPLAINT
`
`
`DEMAND FOR JURY TRIAL
`
`
`
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`Case No. 5:20-cv-02155-LHK
`
`
`
`
`
`

`

`
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 2 of 75
`
`
`
`Plaintiffs Caitlin Brice, Heddi N. Cundle, Angela Doyle, Sharon Garcia, Isabelle
`
`Gmerek, Cynthia Gormezano, Kristen Hartmann, Peter Hirshberg, M.F. and his parent
`
`Therese Jimenez, Lisa T. Johnston, Oak Life Church, Saint Paulus Lutheran Church and
`
`Stacey Simins (“Plaintiffs”) allege the following against Defendant Zoom Video
`
`Communications, Inc. (“Defendant” or “Zoom”), acting individually and on behalf of all
`
`others similarly situated:
`
`BRIEF SUMMARY OF THE CASE
`
`1.
`
`Plaintiffs bring this case to stop Zoom, currently the most popular
`
`videoconferencing platform, from invading consumers’ privacy and from promoting its
`
`product under false assurances of privacy. Further, Plaintiffs seek compensation for
`
`themselves and all others similarly situated for past privacy violations.
`
`2.
`
`Zoom is a supplier of video conferencing services founded in 2011 by Eric
`
`Yuan, a former corporate vice president for Cisco Webex. In January 2017, Zoom raised
`
`$100 million in Series D funding from Sequoia Capital at a $1 billion valuation, and achieved
`
`“unicorn” status—a privately held startup that has reached a $1 billion valuation. On April
`
`18, 2019, the company became a public company via an initial public offering. On its first
`
`day of trading Zoom’s share price increased over 72%, and by the end of the day Zoom was
`
`valued at $16 billion. By June 2020, Zoom was valued at over $67 billion.
`
`3.
`
`Zoom achieved this remarkable growth by, as explained by Mr. Yuan, taking
`
`“the work out of meetings.” “We’ve dedicated ourselves to the features and enhancements
`
`that pull all the friction out of video communications. We’ve made it easier to buy and deploy
`
`Zoom Rooms, we’ve made it simpler to schedule meetings and manage rooms.”1 What was
`
`not explained, and what has become evident since Zoom’s widespread adoption, is that
`
`Zoom’s focus on its goal of “frictionless” video conferencing came at the cost of proper
`
`
`1 Priscilla Barolo, Zoom Launches Enhanced Product Suite to Deliver Frictionless Communications (Jan. 3, 2018),
`available at <https://blog.zoom.us/zoom-launches-enhanced-product-suite-to-deliver-frictionless-
`communications/> (Last Visited July 28, 2020).
`
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`- 1 -
`Case No. 5:20-cv-02155-LHK
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`29
`
`30
`
`31
`
`
`
`

`

`
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 3 of 75
`
`
`
`attention being placed on security and on ensuring that Zoom users’ private moments would
`
`not be shared with, exploited by, or obscenely hijacked by others.
`
`4.
`
`In early 2020, usage of video conferencing, especially Zoom, increased
`
`dramatically in response to the COVID-19 pandemic. As of the end of December 2019, the
`
`maximum number of daily meeting participants, both free and paid, conducted on Zoom
`
`was approximately 10 million. In March 2020, Zoom reached more than 200 million daily
`
`meeting participants, both free and paid.2 With the surge in usage also came increased
`
`scrutiny on Zoom’s privacy policies and new flaws were revealed almost on a daily basis.3
`
`5.
`
`On March 26, 2020, an article on Vice News’ Motherboard tech blog revealed
`
`that, unbeknownst to users, the Zoom iPhone app was sending users’ personal data to
`
`Facebook even if users did not have a Facebook account.4 Zoom was providing a trove of
`
`data to third parties through its Apple iOS app, which implemented Facebook’s user login
`
`“Software Development Kit” (SDK). Zoom admitted that it permitted the Facebook SDK
`
`to collect and share user information including: device carrier, iOS Advertiser ID, iOS
`
`Device CPU Cores, iOS Device Display Dimension, iOS Device Model, iOS Language, iOS
`
`Time zone, iOS Version.5 While Zoom reported to have removed the Facebook SDK, Zoom
`
`continues to share similarly valuable user data with Google via that company’s Firebase
`
`Analytics. Plaintiffs never granted permission for third parties to extract and use such data—
`
`indeed, they were not even aware of the data transmission.
`
`
`2 Eric S. Yuan, A Message to Our Users (April 1, 2020), available at
`<https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/> (Last Visited July 30, 2020).
`
`3 BBC News, Zoom Under Increased Scrutiny As Popularity Soars (April 1, 2020), available at
`<https://www.bbc.com/news/business-52115434 (Last Visited July 28, 2020)> (Last Visited July 29,
`2020).
`
`4 Joseph Cox, Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account (March 26,
`2020), available at <https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-
`even-if-you-dont-have-a-facebook-account> (Last Visited July 28, 2020).
`
`5 Eric S. Yuan, Zoom’s Use of Facebook’s SDK in iOS Client (March 27, 2020), available at
`<https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client/> (Last Visited
`July 28, 2020).
`
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`- 2 -
`Case No. 5:20-cv-02155-LHK
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`29
`
`30
`
`31
`
`
`
`

`

`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 4 of 75
`
`
`
`6.
`
`First and foremost this collection and sharing of Plaintiffs’ data presented an
`
`egregious invasion of their privacy. As well, surreptitious transfer of data by Zoom to third
`
`parties harmed Plaintiffs by, among other things, consuming data for which Plaintiffs as part
`
`of their carrier’s plan6 and diminishing the value of their personal information. Perhaps worst
`
`of all, Plaintiffs are harmed when their extracted data is used to target and profile them with
`
`unwanted and/or harmful content.
`
`7.
`
`On March 31, 2020, an article in The Intercept revealed as false Zoom’s claims
`
`that it implemented end-to-end encryption (“E2E”)—widely understood as the most private
`
`form of internet communication—to protect the confidentiality of users’ video conferences.7
`
`In fact, Zoom was using its own definition of the term, one that failed to recognize Zoom’s
`
`ability to access unencrypted video and audio from meetings. The definition of end-to-end
`
`encryption is not up for interpretation in the industry. Zoom’s misrepresentations are a stark
`
`contrast to other videoconferencing services, such as Apple’s FaceTime, which have
`
`undertaken the more challenging task of implementing true E2E encryption for a multiple
`
`15
`
`party call.
`
`8.
`
`On April 2, 2020, the New York Times published an article disclosing “a data-
`
`mining feature” related to a LinkedIn application that could be used to snoop on participants
`
`during Zoom meetings without their knowledge.8
`
`9.
`
`Finally, reports continue to the present day of security breaches during which
`
`unauthorized bad actors hijack Zoom videoconferences, displaying pornography, screaming
`
`racial epitaphs, or engaging in similarly despicable conduct. This practice has become so
`
`
`6 Jeffrey Fowler, In the middle of the night. Do you know who your iPhone is talking to? (May 28, 2019), available at
`<https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-
`iphone-is-talking/> (Last Visited July 30, 2020).
`
`7 Micah Lee and Yael Grauer, Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading (March 31,
`2020), available at <https://theintercept.com/2020/03/31/zoom-meeting-encryption/> (Last Visited
`July 28, 2020).
`
`8 Aaron Krolik and Natasha Singer, A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles,
`New York Times (April 2, 2020), available at
`<https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html> (Last Visited July 28,
`2020).
`
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`- 3 -
`Case No. 5:20-cv-02155-LHK
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`29
`
`30
`
`31
`
`
`
`

`

`
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 5 of 75
`
`
`
`commonplace on the Zoom platform that it is referred to as “Zoombombing.” Bad actors
`
`have disrupted private moments ranging from Alcoholics Anonymous meetings to
`
`Holocaust memorial services (e.g., in one instance with images of Adolf Hitler).9 School
`
`classes and religious services all over the world have been affected. Recordings of these
`
`incidents and others end up on YouTube and TikTok with the horrified reactions of
`
`participants being the digital trophies of the Zoombombers. Concerns regarding
`
`Zoombombing led many organizations to ban employees’ use of Zoom, including Google,
`
`SpaceX, NASA, the Australian Defence Force, the Taiwanese and Canadian governments,
`
`the New York Department of Education, and the Clark County School District in Nevada.10
`
`10. The gravity of these data privacy violations cannot be overstated, including the
`
`data points leaked through the Facebook SDK. A growing and insidious practice in the
`
`“AdTech” industry to collect unique device data from consumers in order to build a profile,
`
`sometimes referred to as a “fingerprint,” is used to allow third parties and data brokers to
`
`follow users’ activities across their devices with essentially no limit. The practice of
`
`fingerprinting is unique and more damaging than the practice of tracking consumers’
`
`browsing activity with cookies.
`
`11. Zoom had the affirmative duty to safeguard consumers’ device information
`
`and, at the very minimum, to disclose the access, collection, and dissemination of
`
`consumers’ data. Zoom failed to fulfill such duties.
`
`12. Zoom users have an expectation of privacy in their videoconference
`
`communications, just as they do during telephone calls, irrespective of the substance of those
`
`communications. With social distancing and quarantine orders in place during the COVID-
`
`19 pandemic, videoconference platforms like Zoom have replaced conference rooms,
`
`churches and temples, AA meeting rooms, schools, and healthcare professionals’ offices.
`
`
`9 Sebastien Meineck, 'Zoom Bombers' Are Still Blasting Private Meetings With Disturbing and Graphic Content (June
`10, 2020), available at <https://www.vice.com/en_us/article/m7je5y/zoom-bombers-private-calls-
`disturbing-content> (Last Visited July 28, 2020).
`
`10 Id.
`
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`- 4 -
`Case No. 5:20-cv-02155-LHK
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`29
`
`30
`
`31
`
`
`
`

`

`
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 6 of 75
`
`
`
`The need for proper security with respect to private video conferences during which people
`
`discuss their religious views, struggle with addiction, where children are educated, and where
`
`healthcare professionals provide counsel, is paramount.
`
`13. Zoom has issued mea culpas after the reports exposing its privacy inadequacies,
`
`admitting to the problems and vowing to change its ways.11 Nonetheless, independent
`
`ratings organizations consider Zoom’s commitment to security on par with some of the
`
`worst of today’s tech giants.12 Nonetheless, Zoom continues to exploit the ever-greater
`
`market share of the video conferencing that has become a daily necessity with state stay-at-
`
`home orders for attending class, practicing our faith, engaging with loved ones, and getting
`
`the advice of medical professionals. Ensuring privacy and safety during the use of Zoom’s
`
`popular platform is a matter of public interest.
`
`14. Each of these security lapses presents an independently actionable event. Data
`
`sharing relating to Facebook, Google Analytics, and LinkedIn incidents are breaches of
`
`common law, contract, and statutory duties to refrain from sharing and collecting users’
`
`valuable data without proper disclosures. Similarly, although they arise from the same
`
`freewheeling security practices, Zoom’s misrepresentations regarding of E2E encryption and
`
`its security protocols to prevent Zoombombings, are independently actionable.
`
`15. Zoom’s popularity is such that it has become ubiquitous despite its security
`
`shortcomings. Despite knowledge of Zoom’s shortcomings and a desire to maintain one’s
`
`privacy, many people including Plaintiffs nonetheless are required to use Zoom for work,
`
`school, or other purposes, including. For instance, this Court has been using Zoom to
`
`conduct hearings remotely during the pandemic.13
`
`
`11 CEO Eric Yuan himself admitted that Zoom fell “short of our community’s—and our own—privacy
`and security expectations.” Eric S. Yuan, A Message to Our Users (April 1, 2020), available at
`<https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/> (Last Visited July 30, 2020).
`
`12 As of May 2020, PrivacySpy gave Zoom a privacy score of 3.5 out of 10, similar to that of Facebook
`(3.2) and Amazon (3.5). See <https://privacyspy.org/product/zoom/> (Last Visited July 28, 2020).
`
`13 See Northern District of California, Preparing to Participate in a Zoom Video Conference, available at
`<https://www.cand.uscourts.gov/zoom/> (“Participants: If you do not already have a Zoom account,
`set one up at https://zoom.us.”) (Last Visited July 30, 2020).
`
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`- 5 -
`Case No. 5:20-cv-02155-LHK
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`29
`
`30
`
`31
`
`
`
`

`

`
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 7 of 75
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`16. Accordingly Plaintiffs, on behalf of themselves and all others similarly situated,
`
`bring this action to ensure that Zoom vastly improves its security practices going forward
`
`and to recover for past privacy violations.
`
`PARTIES
`
`17. Plaintiff Kristen Hartmann is, and at all times relevant was, a citizen of the
`
`State of Maryland residing in Rockville, Maryland. Ms. Hartmann purchased a “Zoom Pro”
`
`account for her own personal use and accessed Zoom’s video conferencing services. Ms.
`
`Hartmann accesses Zoom’s video conferencing services through her iPhone.
`
`18. Ms. Hartmann was not aware, and did not understand, that Zoom would collect
`
`and share her personal information with third parties, including Facebook. Nor was she
`
`aware that Zoom would allow third parties, like Facebook, to access her personal
`
`information and combine it with content and information from other sources to create a
`
`unique identifier or profile of her for advertising and behavior influencing and behavior
`
`influencing purposes. Rather, Ms. Hartmann registered with Zoom as a user and used
`
`Zoom’s services in reliance on Zoom’s promises that (a) Zoom does not sell users’ data; (b)
`
`Zoom takes privacy seriously and adequately protects users’ personal information; and (c)
`
`Zoom’s videoconferences are secured with end-to-end encryption and are protected by
`
`passwords and other security measures. Likewise, Ms. Hartmann did not give Zoom
`
`permission to access, take or use her personally identifiable information.
`
`19.
`
` Ms. Hartmann purchased her account having seen advertising that Zoom
`
`Meetings were equipped with end-to-end encryption technology, which was a feature that
`
`she valued and for which she was willing to pay a premium. After comparing Zoom against
`
`GoToMeeting and Webex, Ms. Hartmann selected Zoom over other options largely due to
`
`Zoom’s representations of its end-to-end encryption. Further, periodically during Zoom
`
`meetings calls, Ms. Hartmann would “check” to ensure the calls were end-to-end encrypted
`
`by hovering her cursor over the green lock icon in the application. The icon would then
`
`show text indicating active end-to-end encryption. Had Ms. Hartmann known that Zoom
`
`
`
`28
`
`
`
`29
`
`30
`
`31
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`- 6 -
`Case No. 5:20-cv-02155-LHK
`
`

`

`
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 8 of 75
`
`
`
`meetings were not actually end-to-end encrypted, she would not have paid for a Zoom Pro
`
`subscription, or she would have paid less for it.
`
`20. Plaintiff Isabelle Gmerek is, and at all times relevant was, a citizen of the
`
`State of California residing in Carlsbad, California
`
`21. Ms. Gmerek has registered an account with Zoom, and accessed Zoom’s video
`
`conferencing services. Ms. Gmerek accesses Zoom’s video conferencing services through
`
`her Android phone and iPad.
`
`22. Ms. Gmerek was not aware, and did not understand, that Zoom would collect
`
`and share her personal information with third parties, including Facebook. Nor was she
`
`aware that Zoom would allow third parties, like Facebook, to access her personal
`
`information and combine it with content and information from other sources to create a
`
`unique identifier or profile of her for advertising and behavior influencing purposes. Rather,
`
`Ms. Gmerek registered with Zoom as a user and used Zoom’s services in reliance on Zoom’s
`
`promises that (a) Zoom does not sell users’ data; (b) Zoom takes privacy seriously and
`
`adequately protects users’ personal information; and (c) Zoom’s videoconferences are
`
`secured with end-to-end encryption and are protected by passwords and other security
`
`measures. Likewise, Ms. Gmerek did not give Zoom permission to access, take or use her
`
`personally identifiable information.
`
`23.
`
`In late February or early March of 2020, Ms. Gmerek began using Zoom for
`
`meetings with her psychologist in reliance on representations by Zoom that it was a secure
`
`method of videoconferencing, that it was in full compliance with the Health Insurance
`
`Portability and Accountability Act (“HIPAA”), and that it had not misrepresented the
`
`security features available to users.
`
`24. Ms. Gmerek uses Zoom at least twice a week as an attendee, but she has no
`
`way of determining whether Zoom’s representations that her personal information will be
`
`secure are, in fact, correct.
`
`25. Plaintiff Lisa T. Johnston is, and at all times relevant was, a citizen of the
`
`State of California residing in Santa Monica, California. Ms. Johnston has registered an
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`- 7 -
`Case No. 5:20-cv-02155-LHK
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`29
`
`30
`
`31
`
`
`
`

`

`
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 9 of 75
`
`
`
`account with Zoom, and accessed Zoom’s videoconferencing services. Ms. Johnston
`
`accesses Zoom’s videoconferencing through her Apple laptop and iPhone.
`
`26. Ms. Johnston was not aware, and did not understand, that Zoom would collect
`
`and share her personal information with third parties, including Facebook. Nor was she
`
`aware that Zoom would allow third parties, like Facebook, to access her personal
`
`information and combine it with content and information from other sources to create a
`
`unique identifier or profile of her for advertising and behavior influencing purposes. Rather,
`
`Ms. Johnston registered with Zoom as a user and used Zoom’s services in reliance on
`
`Zoom’s promises that (a) Zoom does not sell users’ data; (b) Zoom takes privacy seriously
`
`and adequately protects users’ personal information; and (c) Zoom’s videoconferences are
`
`secured with end-to-end encryption and are protected by passwords and other security
`
`measures. Likewise, Ms. Johnston did not give Zoom permission to access, take or use her
`
`personally identifiable information.
`
`27. Plaintiff M.F. is, and at all times relevant was, a citizen of the State of
`
`California residing in Culver City, California. M.F. accessed Zoom’s video conferencing
`
`services without first creating a Zoom account. M.F. is, and at all relevant times was, under
`
`the age of 13. M.F. accesses Zoom’s video conferencing services through iPads, Windows
`
`laptop, and Android phone.
`
`28. M.F. was not aware, and did not understand, that Zoom would collect and
`
`share his personal information with third parties, including Facebook. Nor was he aware that
`
`Zoom would allow third parties, like Facebook, to access his personal information and
`
`combine it with content and information from other sources to create a unique identifier or
`
`profile of his for advertising and behavior influencing purposes. Rather, M.F. used Zoom’s
`
`services in reliance on Zoom’s promises that (a) Zoom does not sell users’ data; (b) Zoom
`
`takes privacy seriously and adequately protects users’ personal information; and (c) Zoom’s
`
`videoconferences are secured with end-to-end encryption and are protected by passwords
`
`and other security measures. Likewise, M.F. did not give Zoom permission to access, take
`
`or use his personally identifiable information.
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`- 8 -
`Case No. 5:20-cv-02155-LHK
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`29
`
`30
`
`31
`
`
`
`

`

`
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 10 of 75
`
`
`
`29. Plaintiff Therese Jimenez is, and at all times relevant was, a citizen of the
`
`State of California residing in Culver City, California. Ms. Jimenez accessed Zoom’s video
`
`conferencing services without first creating a Zoom account. Plaintiff Jimenez is the mother
`
`and natural guardian of Plaintiff M.F. Ms. Jimenez accesses Zoom’s video conferencing
`
`services through her iPad, Windows laptop, and Android phone.
`
`30. Ms. Jimenez later registered with Zoom as a user. When she did so Ms. Jimenez
`
`was not aware, and did not understand, that Zoom would collect and share her personal
`
`information with third parties, including Facebook. Nor was she aware that Zoom would
`
`allow third parties, like Facebook, to access her personal information and combine it with
`
`content and information from other sources to create a unique identifier or profile of her
`
`for advertising and behavior influencing purposes. Rather, Ms. Jimenez registered with
`
`Zoom as a user and used Zoom’s services in reliance on Zoom’s promises that (a) Zoom
`
`does not sell users’ data; (b) Zoom takes privacy seriously and adequately protects users’
`
`personal information; and (c) Zoom’s videoconferences are secured with end-to-end
`
`encryption and are protected by passwords and other security measures. Likewise, Ms.
`
`Jimenez did not give Zoom permission to access, take or use her personally identifiable
`
`information.
`
`31. Plaintiff Saint Paulus Lutheran Church is, and at all times relevant was, a
`
`citizen of the State of California. Saint Paulus Lutheran Church accesses Zoom’s video
`
`conferencing services through an Apple laptop.
`
`32.
`
`Saint Paulus Lutheran Church is an Evangelical Lutheran church located at
`
`1541 Polk Street, San Francisco, California. Founded in 1867, Saint Paulus has been serving
`
`countless congregants, including the homeless, the marginalized, and the underserved, in San
`
`Francisco for over 150 years. The Reverend Daniel Solberg is currently serving as the eighth
`
`Pastor of Saint Paulus Lutheran Church, a position he has held since November of 1999.
`
`Saint Paulus is a citizen of California. In Saint Paulus’s long history, it survived the Great
`
`Earthquake and Fire of 1906, the social and cultural turmoil of the 1960s–70s, and a 1995
`
`fire that destroyed its 103 year-old cathedral building.
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`- 9 -
`Case No. 5:20-cv-02155-LHK
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`29
`
`30
`
`31
`
`
`
`

`

`
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 11 of 75
`
`
`
`33. Plaintiff Heddi N. Cundle is, and at all times relevant was, a citizen of the
`
`State of California residing in San Francisco, California. She is the administrator at Saint
`
`Paulus. She organizes Saint Paulus’s weekly bible-study classes. Ms. Cundle registered an
`
`account with Zoom on behalf of Saint Paulus, and accessed Zoom’s videoconferencing on
`
`behalf of Saint Paulus. Ms. Cundle also registered a separate account with Zoom for personal
`
`use, and accessed Zoom’s videoconferencing for personal purposes. Ms. Cundle accesses
`
`Zoom’s video conferencing services through her iPhone and Windows laptop.
`
`34. Ms. Cundle was not aware, and did not understand, that Zoom would collect
`
`and share her personal information with third parties, including Facebook. Nor was she
`
`aware that Zoom would allow third parties, like Facebook, to access her personal
`
`information and combine it with content and information from other sources to create a
`
`unique identifier or profile of her for advertising and behavior influencing purposes. Rather,
`
`Ms. Cundle registered with Zoom as a user and used Zoom’s services in reliance on Zoom’s
`
`promises that (a) Zoom does not sell users’ data; (b) Zoom takes privacy seriously and
`
`adequately protects users’ personal information; and (c) Zoom’s videoconferences are
`
`secured with end-to-end encryption and are protected by passwords and other security
`
`measures. Likewise, Ms. Cundle did not give Zoom permission to access, take or use her
`
`personally identifiable information.
`
`35.
`
`Further, Ms. Cundle on behalf of Saint Paulus was not aware, and did not
`
`understand, that Zoom would collect and share Saint Paulus’s private information with third
`
`parties, including Facebook. Nor was she aware that Zoom would allow third parties, like
`
`Facebook, to access Saint Paulus’s private information and combine it with content and
`
`information from other sources to create a unique identifier or profile of Saint Paulus for
`
`advertising purposes. In fact, Ms. Cundle on behalf of Saint Paulus registered with Zoom as
`
`a user and used Zoom’s services in reliance on Zoom’s promises that (a) Zoom does not sell
`
`users’ data; (b) Zoom takes privacy seriously and adequately protects users’ personal
`
`information; and (c) Zoom’s videoconferences are secured with end-to-end encryption and
`
`are protected by passwords and other security measures. Likewise, Ms. Cundle on behalf of
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`- 10 -
`Case No. 5:20-cv-02155-LHK
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`29
`
`30
`
`31
`
`
`
`

`

`
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 12 of 75
`
`
`
`Saint Paulus did not give Zoom permission to access, take or use its personally identifiable
`
`information.
`
`36. To conduct Saint Paulus’s weekly Bible-study class in compliance with the
`
`State’s stay-at-home order, Ms. Cundle registered an account with Zoom on behalf of Saint
`
`Paulus. Saint Paulus paid the fee to use a “Zoom Pro” account. Through Ms. Cundle and
`
`congregants, Saint Paulus has continued to use and access Zoom videoconferencing services.
`
`37.
`
`For the May 6, 2020 Saint Paulus Bible-study class, Ms. Cundle followed
`
`Zoom’s instructions to set up a password-protected meeting. Despite her efforts, an intruder
`
`hacked into the Bible-study meeting and hijacked the meeting, displaying child pornography
`
`images and video to the participants. During the Zoombombing incident, Ms. Cundle and
`
`the other participants were unable to minimize or close the video screen. Despite Ms.
`
`Cundle’s efforts to use the tools Zoom made available to her, she could not stop the graphic
`
`display or eject the intruder and, thus, closed the meeting and instructed the participants to
`
`rejoin. As soon as participants rejoined, the intruder again hijacked the Bible study with
`
`further displays of child pornography. Despite Ms. Cundle’s efforts to use the tools Zoom
`
`made available to her, she could not stop the graphic display or eject the intruder and, thus,
`
`after attempting, unsuccessfully, to block the intruder or close the meeting, she finally closed
`
`the meeting. The depravity of the video footages was beyond description here. Ms. Cundle
`
`and the other participants were traumatized and deeply disturbed.
`
`38.
`
`Immediately following the May 6, 2020 Zoombombing incident, Ms. Cundle
`
`reported the incident to Zoom. In response, Zoom admitted that the intruder was “a known
`
`serial offender who disrupts open meetings by showing the same video” and, shockingly,
`
`had “been reported multiple times to the authorities.” Despite this, it was not until Ms.
`
`Cundle reported the May 6, 2020 Zoombombing incident that Zoom finally blocked the
`
`intruder “from joining future meetings using the same Zoom software.”
`
`39. Plaintiff Oak Life Church is, and at all relevant times was, a citizen of the
`
`State of California. Oak Life Church is located at 337 17th Street, Oakland, California.
`
`Founded in 2014, Oak Life Church is a decentralized, non-denominational Christian church
`
`FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`- 11 -
`Case No. 5:20-cv-02155-LHK
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`29
`
`30
`
`31
`
`
`
`

`

`
`
`Case 5:20-cv-02155-LHK Document 126 Filed 10/28/20 Page 13 of 75
`
`
`
`serving the marginalized and the underserved in the community. Beginning in March 2020,
`
`Oak Life Church registered an account with Zoom, which it subsequently converted to a
`
`paid “Zoom Pro” account. Thereafter, Oak Life Church accessed Zoom’s
`
`videoconferencing services for team meetings, Bible studies, prayer meetings, and church
`
`services. Oak Life Church accesses Zoom’s video conferencing services through an iPhone
`
`and an Apple laptop.
`
`40. Oak Life Church was not aware, and did not understand, that Zoom would
`
`collect and share its private information with third parties, including Facebook. Nor was Oak
`
`Life Church aware that Zoom would allow third parties, like Facebook, to access its private
`
`information and combine it with content and information from other sources to create a
`
`unique identifier or profile of Oak Life Church for advertising purposes. In fact, Oak Life
`
`Church registered with Zoom as a user and used Zoom’s services in reliance on Zoom’s
`
`promises that (a) Zoom does not sell users’ data; (b) Zoom takes privacy seriously and
`
`adequately protects users’ personal information; and (c) Zoom’s videoconferences are
`
`secured with end-to-end encryption and are protected by passwords and other security
`
`measures. Likewise, Oak Life Church did not give Zoom permission to access, take or use
`
`its personally identifiable information.
`
`41. On April 19, 2020, Oak Life Church and its members were subjected to a
`
`Zoombombing incident during a regularly-scheduled Sunday church service. Following
`
`protocols provided by Zoom, the meeting on April 19, 2020 was set up with a waiting room,
`
`mute on entry, and no ability for users to share their screens. Thirty minutes into the service,
`
`while the host was using Zoom’s screen-sharing feature, the