throbber
Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 1 of 51
`
`
`
`Jason S. Hartley (SBN 192514)
`HARTLEY LLP
`101 West Broadway, Suite 820
`San Diego, California 92101
`Telephone: 619-400-5822
`hartley@hartleyllp.com
`Norman E. Siegel (pro hac vice forthcoming)
`J. Austin Moore (pro hac vice forthcoming)
`STUEVE SIEGEL HANSON LLP
`460 Nichols Road, Suite 200
`Kansas City, Missouri 64112
`Telephone: 816-714-7100
`siegel@stuevesiegel.com
`moore@stuevesiegel.com
`
`
`
`
`
`
`Plaintiffs,
`
`v.
`
`CLASS ACTION COMPLAINT
`AND DEMAND FOR JURY TRIAL
`
`1. Violation of California’s Unfair
`Competition Law
`2. Breach of Implied Contract
`3. Violation of California’s
`Consumer Privacy Act
`4. Violation of California’s
`Consumer Legal Remedies Act
`5. Unjust Enrichment/Quasi-
`Contract
`6. Declaratory Judgment
`7. Negligence
`8. Invasion of Privacy (Public
`Disclosure of Private Facts)
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`
`
` Case No. ______________
`TESHA KONDRAT, GAVIN WOLFE, and
`
`CHANELLE MURPHY, individually and
`on behalf of all others similarly situated,
`
`
`
`
`
`
`ZOOM VIDEO COMMUNICATIONS,
`INC.,
`
`
`
`
`
`Defendant.
`
`
`
`
`
`1
`
`CLASS ACTION COMPLAINT
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 2 of 51
`
`
`
`
`
`Plaintiffs Tesha Kondrat, Gavin Wolfe, and Chanelle Murphy, individually and
`on behalf of all persons similarly situated, bring this Class Action Complaint against
`Defendant Zoom Video Communications, Inc. (“Defendant” or “Zoom”), based upon
`personal knowledge with respect to themselves, and on information and belief derived
`from investigation of counsel and review of public documents as to all other matters.
`INTRODUCTION
`1.
`“I really messed up.” That’s what Zoom’s chief executive officer (CEO)
`Eric Yuan admitted on April 4, 2020, after dozens of security and privacy flaws had
`been exposed in his company’s wildly popular video-conferencing platform Zoom. But
`Mr. Yuan’s admission comes too late for the millions of individuals who already
`downloaded and utilized the Zoom platform, unknowingly exposing themselves to
`sweeping privacy issues that could place them at risk of harm for years to come. As Mr.
`Yuan soberly acknowledged: “This kind of thing shouldn’t have happened.”
`2.
`Zoom is a video communications provider, offering a cloud platform for
`video and audio conferencing, collaboration, chat and webinars. Its meteoric rise from
`a startup with 40 engineers in 2011 to its $20 billion initial public offering in 2019 was
`celebrated, and its trajectory during the COVID-19 pandemic has exponentially
`increased as the homebound population uses it as their business and social lifeline. But
`Zoom’s assent came at the expense of consumers’ privacy, as it prioritized its breakneck
`growth above the security of consumers’ data and privacy.
`3.
`Zoom’s sudden ubiquitous presence in the lives of Americans forced to
`stay at home and limit face-to-face communications has exposed numerous deficiencies
`in the technology’s data privacy and security, with new problems coming to light as
`each day passes. Zoom is now playing catch-up to fix each problem as it arises, but it
`appears to always be one step behind. By using Zoom’s rushed-to-market technologies,
`consumers’ private communications and personally-identifying information and data
`are being exposed to third-parties, both intentionally by Zoom, and maliciously by
`nefarious actors exploiting flaws in Zoom’s data security.
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`2
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 3 of 51
`
`
`
`
`
`4.
`As a result of Zoom’s intentional and negligent data security failures,
`Plaintiffs’ and Class Members’ personal information has been exposed and is at a
`significant risk of further exposure, and their privacy-rights have been violated.
`Plaintiffs bring this lawsuit on behalf of themselves and other similarly-situated users
`of Zoom’s technologies to hold Zoom responsible for its deficient privacy and data
`security, stop Zoom from continuing to profit at the expense of consumers’ privacy and
`security, require that Zoom take all necessary measures to secure the privacy of user
`accounts and devices, and compensate Plaintiffs and Class Members for the damage
`that its acts and omissions have caused.
`PARTIES
`5.
`Plaintiff Tesha Kondrat is a resident and citizen of Los Angeles, California.
`She agreed to pay $14.99 per month for Zoom’s “Pro” video conferencing plan to
`communicate with family, friends, and business colleagues in the midst of the
`pandemic. At the time she began using Zoom’s products and services, she was not
`aware, and did not understand, that they included significant security-deficiencies that
`would result in the exposure and risk of exposure of her private communications and
`personally-identifying information. If Ms. Kondrat had known what she now knows
`about Zoom’s data security and privacy deficiencies, she would not have purchased
`Zoom, or would not have paid as much for it.
`6.
`Plaintiff Gavin Wolfe is a resident and citizen of Sunnyvale, California.
`He agreed to pay $149.90 annually for Zoom’s “Pro” video conferencing plan to host a
`Bible study group in the midst of the pandemic. At the time he began using Zoom’s
`products and services, he was not aware, and did not understand, that they included
`significant security-deficiencies that would result in the exposure and risk of exposure
`of his private communications and personally-identifying information. If Mr. Wolfe had
`known what he now knows about Zoom’s data security and privacy deficiencies, he
`would not have purchased Zoom, or would not have paid as much for it.
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`3
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 4 of 51
`
`
`
`
`
`7.
`Plaintiff Chanelle Murphy is a resident and citizen of Sunnyvale,
`California. She downloaded and used the Zoom application for iOS. At the time she
`began using Zoom’s products and services, she did not know Zoom was sharing her
`personally-identifying information to third-parties, like Facebook, and did not consent
`to this practice. If Ms. Murphy had learned what she knows now about Zoom’s practice
`of sharing personally-identifying information with third-parties, like Facebook, she
`would not have downloaded and used the Zoom application.
`8.
`Defendant Zoom is a Delaware corporation with its principal place of
`business in San Jose, California.
`JURISDICTION AND VENUE
`9.
`This Court has subject matter jurisdiction over this action under 28 U.S.C.
`§ 1332, the Class Action Fairness Act, because: (i) there are 100 or more class members;
`(ii) the aggregate amount in controversy exceeds $5,000,000, exclusive of interest and
`costs; and (iii) there is minimal diversity because members of the Class are citizens of
`different states from Defendant.
`10. This Court has personal jurisdiction over Defendant because it maintains
`its headquarters in this District and operates in this District. Through its business
`operations in this District, Defendant intentionally avails itself of the markets within
`this District to render the exercise of jurisdiction by this Court just and proper.
`11. Venue is proper in this Court pursuant to 28 U.S.C. § 1391 because
`significant events giving risk to this case took place in this District, and because
`Defendant is authorized to conduct business in this District, has intentionally availed
`itself of the laws and markets within this District, does substantial business in this
`District, and is subject to personal jurisdiction in this District.
`STATEMENT OF FACTS
`12. Zoom is a cloud-based video communications platform that offers
`companies and consumers the ability to hold video conferences, webinars, conference
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`4
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 5 of 51
`
`
`
`
`calls, and chats. Zoom claims that it can provide “video for every need,” allowing users
`to “join anywhere, on any device.”1
`13. Businesses, healthcare organizations, educational
`institutions, and
`individuals use the Zoom platform for a variety of business and social purposes. Zoom’s
`use has exploded recently in response to the novel-coronavirus pandemic’s social-
`distancing requirements that are forcing more people to stay at home. “Where once it
`enabled client conferences or training webinars, it is now also a venue for virtual
`cocktail hours, Zumba classes and children’s birthday parties.”2 The number of daily
`meeting participants across Zoom’s services has increased from 10 million at the end
`of 2019 to 200 million now.3
`14. Zoom’s initial public offering last year was one of 2019’s most successful
`public offerings, making Zoom’s CEO, Eric Yuan, a billionaire.4 And while the stock
`market has seen its first bear market since the 2008 financial crisis,5 Zoom’s share price
`soared,6 that is, until recently when investors learned of its major security and privacy
`flaws.7
`
`
`1 Zoom Meetings & Chat, https://zoom.us/meetings (last visited April 12, 2020).
`2 Aaron Tilley and Robert McMillan, Zoom CEO: ‘I Really Messed Up’ on Security as Coronavirus
`Drove Video Too’s Appeal, The Wall Street Journal (April 4, 2020) (“I really messed up”),
`https://www.wsj.com/articles/zoom-ceo-i-really-messed-up-on-security-as-coronavirus-drove-
`video-tools-appeal-11586031129?st=jmn0xqiy1ea3c63&mod=openfreereg.
`3 Id.
`4 Id.
`5 Sergei Klebnikov, Bear Market, Dow Drops Over 1,400 Points, Ending Longest Bull Market in
`U.S. History, Forbes (Mar. 11, 2020),
`https://www.forbes.com/sites/sergeiklebnikov/2020/03/11/bear-market-dow-drops-over-1400-
`points-ending-longest-bull-market-in-us-history/#6e75715c6ae4.
`6 Rupert Neate, Zoom booms as demand for video-conferencing tech grows, The Guardian (Mar 31,
`2020), https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-
`conferencing-tech-grows-in-coronavirus-outbreak.
`7 Wallace Witkowski, Zoom Video stock slides as much as 15% after analyst joins in backlash on
`valuation fears, Market Watch (April 6, 2020), https://www.marketwatch.com/story/zoom-video-
`stock-slides-as-much-as-15-after-analyst-joins-in-backlash-on-valuation-fears-2020-04-06.
`
`
`
`5
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 6 of 51
`
`
`
`
`
`15. Zoom understands that its users want their private meetings to remain
`private, and their personal information secured, touting its “end-to-end encryption for
`all meetings, role-based user security, password protection, waiting rooms, and place
`attendee on hold,” as measures to allow users to “meet securely.”8 Zoom promises its
`customers that “we take security seriously and we are proud to exceed industry
`standards when it comes to your organizations communications.”9 It further promises
`that it “is committed to protecting your privacy,” and claims it has “designed policies
`and controls to safeguard the collection, use, and disclosure of your information.”10
`According to Zoom, it “places privacy and security as the highest priority in the
`lifecycle operations of our communications infrastructure.”11
`16. Plaintiffs and Class Members place significant value in data security.
`According to a recent survey conducted by cyber-security company FireEye,
`approximately 50% of consumers consider data security to be a main or important
`consideration when making purchasing decisions and nearly the same percentage would
`be willing to pay more in order to work with a provider that has better data security.
`Likewise, 70% of consumers would provide less personal information to organizations
`that do not secure their personal data.12
`17. Because of the value consumers place on data privacy and security,
`companies with robust data security practices can command higher prices than those
`who do not. Indeed, if consumers did not value their data security and privacy, Zoom
`
`
`8 Zoom Security Guide (April 2020), https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
`(last visited April 12, 2020).
`9 Security at Zoom, https://zoom.us/security (last visited April 12, 2020).
`10 Id.
`11 See Zoom Security Guide, supra note 8.
`12 FireEye, Beyond the Bottom Line: The Real Cost of Data Breaches (May 2016),
`https://www.fireeye.com/blog/executive-perspective/2016/05/beyond_the_bottomli.html (last
`visited April 12, 2020).
`
`
`
`6
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 7 of 51
`
`
`
`
`would have no reason to tout its data security and privacy efforts to their actual and
`potential customers.
`18. As it turns out, Zoom’s promises of privacy and security were false, and
`Zoom has been forced to walk many of these representations back as the company’s
`meteoric rise has put a spotlight on its technologies’ numerous security flaws.
`19. On April 1, 2020, Zoom’s Chief Executive Officer, Eric Yuan, admitted
`that the company had “fallen short of the community’s – and our own – privacy and
`security expectations,”13 acknowledging that Zoom “did not design the product with the
`foresight” to accommodate the number of people using and the variety of reasons it was
`being used. This, he said, “present[ed] us with challenges we did not anticipate when
`the platform was conceived.”14 On April 4, 2020, after more and more security and
`privacy flaws were exposed, Yuan admitted that he had “really messed up as CEO, and
`we need to win [users’] trust back,” stating “[t]his kind of thing shouldn’t have
`happened.”15
`A. Zoom prioritizes rapid growth over consumers’ security.
`20. Compared to other video-conferencing platforms, Zoom is easy to set up
`and use, and this ease-of-use has caused Zoom to take off while other platforms have
`not.16 “But there’s a downside.” Zoom’s ease-of-use comes at the expense of data
`security, as numerous security and privacy problems have been exposed in a matter of
`
`
`13 Eric S. Yuan, A Message to Our Users, Zoom Blog (April 1, 2020) (“April 1, 2020 Zoom Blog”),
`https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/.
`14 Id.
`15 See I Really Messed Up, supra note 2.
`16 Paul Wagenseil, Zoom privacy and security issues: Here’s everything that’s wrong (so far),
`Tom’s Guide (last updated April 10, 2020) (“Tom’s Guide”),
`https://www.tomsguide.com/news/zoom-security-privacy-woes.
`
`
`
`7
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 8 of 51
`
`
`
`
`weeks.17 The backlash against Zoom has already begun, with school districts,18
`governments,19 and major companies like SpaceX and Google20 banning the use of
`Zoom due to privacy and security concerns.
`21. As detailed below, as of the filing of this Complaint, more than a dozen
`security and privacy problems with Zoom’s technologies have come to light, exposing
`the company’s overall lax view of data security as it rushed to get its technology to
`market and to the front-of-the-line. Each of these problems shows that consumers’
`information and privacy is at risk and that Zoom’s representations of data security were
`false and misleading.
`1. Zoom blatantly misrepresents its encryption capabilities.
`22. Prior to April 2020, Zoom’s website and its security white paper claimed
`its meetings use “end-to-end encryption”—a method of secure communication that
`prevents third parties from accessing data while it is transferred from one end system
`or device to another. “End-to-end encryption” is well known in the technology field to
`designate data that can be sent from one user endpoint (like a desktop, laptop,
`smartphone or tablet) to another endpoint where the server delivering the information
`
`
`17 Id.
`18 Sean Keane, School districts reportedly ban Zoom over security issues, CNET (April 6, 2020),
`https://www.cnet.com/news/school-districts-reportedly-ban-zoom-over-security-issues/; John
`Geddie, Singapore stops teachers using Zoom app after ‘very serious incidents’, Reuters (April 9,
`2020), https://www.reuters.com/article/us-zoom-video-comm-privacy-singapore-
`idUSKCN21S0AH.
`19 Mary Hui, Taiwan is taking cybersecurity seriously by banning the use of Zoom in government
`(April 7, 2020), https://qz.com/1834151/taiwan-government-bans-official-use-of-zoom/; Ben
`Lovejoy, Governments restrict or ban the use of Zoom, as company faces lawsuit, 9to5mac (April 8,
`2020), https://9to5mac.com/2020/04/08/ban-the-use-of-zoom/; Kiran Stacey and Hannah Murphy,
`US Senate tells members not to use Zoom, ars technical (April 9, 2020),
`https://arstechnica.com/tech-policy/2020/04/us-senate-tells-members-not-to-use-zoom/.
`20 Munsif Vengattil, Joey Roulette, Elon Musk’s SpaceX bans Zoom over privacy concerns – memo,
`Reuters (April 1, 2020), https://www.reuters.com/article/us-spacex-zoom-video-commn/elon-
`musks-spacex-bans-zoom-over-privacy-concerns-memo-idUSKBN21J71H?il=0; Pranav Dixit,
`Google Has Banned Zoom Software From Employees’ Computers, Citing Security Vulnerabilities,
`BuzzFeed News (April 8, 2020), https://www.buzzfeednews.com/article/pranavdixit/google-bans-
`zoom?bftwnews&utm_term=4ldqpgc#4ldqpgc.
`
`
`
`8
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 9 of 51
`
`
`
`
`cannot decrypt the message. For example, when a user sends an Apple message from
`an iPhone to another iPhone user, Apple’s servers help the message get from one place
`to another, but they can’t read the content. So end-to-end encryption means that only
`the parties to the communication can access it, and not any middlemen that relay the
`communication through its servers. This is not the case with Zoom.
`23. Under pressure from investigative journalists at The Intercept, a Zoom
`representative admitted that Zoom’s definitions of “end-to-end” and “endpoint” are not
`the same as that commonly used in the technology industry.21 The Zoom spokesperson
`admitted “When we use the phrase ‘End to End,’ in our literature, it is in reference to
`the connection being encrypted from Zoom end point to Zoom end point.”22 Because it
`holds the encryption keys, Zoom can view users’ communications, and could share that
`information with others, for example, if presented with a warrant from law
`enforcement.23
`24. Notably, Apple’s FaceTime, which allows group videoconferencing,
`offers actual end-to-end encryption, so the technology is available and used by Zoom’s
`competitors.24 Of course that’s what Zoom users thought they were getting based on
`Zoom’s false representations that it too provided “end-to-end” encryption.
`25.
`In a blog post dated April 1, 2020, Zoom’s chief product officer Oded Gal
`admitted the company had misrepresented its level of encryption writing “we want to
`start by apologizing for the confusion we have caused by incorrectly suggesting that
`Zoom meetings were capable of using end-to-end encryption.”25 He further
`
`21 Micah Lee, Yael Grauer, Zoom Meeting Aren’t End-To-End Encrypted, Despite Misleading
`Marketing, The Intercept (Mar. 31, 2020), https://theintercept.com/2020/03/31/zoom-meeting-
`encryption/.
`22 Id.
`23 See Tom’s Guide, supra note 16.
`24 Id.
`25 Oded Gal, The Facts Around Zoom and Encryption for Meetings/Webinars, Zoom Blog (April 1,
`2020), https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-
`webinars/.
`
`
`
`9
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 10 of 51
`
`
`
`
`acknowledged: “We recognize that there is a discrepancy between the commonly
`accepted definition of end-to-end encryption and how we were using it.”26
`26. Not only was Zoom misleading consumers about its “end-to-end
`encryption” capabilities, but it also falsely represented the quality of its encryption
`algorithm. Zoom says it uses AES-256 encryption to encode video and audio data
`traveling between Zoom servers and Zoom users, but researchers at The Citizen Lab at
`the University of Toronto reported on April 3, 2020, that Zoom actually uses a weaker
`single AES-128 key in a home-grown “ECB mode”, which is not as secure as
`promised.27 “Even worse, Zoom uses an in-house implementation of encryption
`algorithm that preserves patterns from the original file. It’s as if someone drew a red
`circle on a gray wall, and then a censor painted over the red circle with a whi[t]e circle.
`You’re not seeing the original message, but the shape is still there.”28
`27.
`In a blog post on April 3, 2020, Zoom’s CEO Eric Yuan acknowledged the
`encryption issue but said only that “we recognize that we can do better with our
`encryption design” and “we expect to have more to share on this front in the coming
`days.”29
`2. The Chinese Government may have access to private information.
`28. The Citizen Lab report also revealed that several Zoom servers in China
`were issuing encryption keys to Zoom users even when all participants in the meeting
`were in North America.30
`
`
`
`26 Id.
`27 Bill Marczak and John Scott-Railton, Move Fast and Roll Your Own Crypto, A Quick Look at the
`Confidentiality of Zoom Meetings, The Citizen Lab (April 3, 2020) (“The Citizen Lab”),
`https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-
`zoom-meetings/.
`28 See Tom’s Guide, supra note 16.
`29 Eric S. Yuan, Response to Research From University of Toronto’s Citizen Lab Zoom Blog (April
`3, 2020) (“April 3, 2020 Zoom Blog”), https://blog.zoom.us/wordpress/2020/04/03/response-to-
`research-from-university-of-torontos-citizen-lab/.
`30 The Citizen Lab, supra note 27.
`
`
`
`10
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 11 of 51
`
`
`
`
`
`29. While Zoom is a Silicon Valley-based company, it owns three companies
`in China through which at least 700 employees are paid to develop Zoom’s software.
`According to the Citizen Lab: “This arrangement is ostensibly an effort at labor
`arbitrage: Zoom can avoid paying US wages while selling to US customers, thus
`increasing their profit margin. However, this arrangement may make Zoom responsive
`to pressure from Chinese authorities.”31
`30. Since Zoom servers can decrypt Zoom meetings while falsely claiming
`“end-to-end encryption”, and Chinese authorities can compel operators of Chinese
`servers to hand over data, “the Chinese government might be able to see your Zoom
`meetings.”32
`31.
`In his April 3, 2020 blog post, Zoom’s CEO Eric Yuan admitted this was
`a problem: “In our urgency to come to the aid of people around the world during this
`unprecedented pandemic, we added server capacity and deployed it quickly — starting
`in China, where the outbreak began. In that process, we failed to fully implement our
`usual geo-fencing best practices. As a result, it is possible certain meetings were allowed
`to connect to systems in China, where they should not have been able to connect.”33
`Zoom claims to have fixed this problem.34
`3. Zoom meeting recordings can be found online.
`32. Zoom meeting recordings saved to the meeting host’s computer are
`automatically assigned a certain type of default file name. Patrick Jackson, the
`technology chief of the privacy-software company Disconnect and a former researcher
`for the National Security Agency, searched unprotected cloud servers to see if anyone
`
`
`
`31 Id.
`32 See Tom’s Guide, supra note 16.
`33 April 3, 2020 Zoom Blog, supra note 29.
`34 Id.
`
`
`
`11
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 12 of 51
`
`
`
`
`had uploaded Zoom recordings and found more than 15,000 unprotected examples,
`according to The Washington Post.35
`33. Videos viewed by The Washington Post included “one-on-one therapy
`sessions; a training orientation for workers doing telehealth calls that included people’s
`names and phone numbers; small-business meetings that included private company
`financial statements; and elementary school classes, in which children’s faces, voices
`and personal details were exposed. Many of the videos include personally identifiable
`information and deeply intimate conversations, recorded in people’s homes. Other
`videos include nudity, such as one in which an aesthetician teaches students how to give
`a Brazilian wax.”36
`34. As explained by The Post, “because Zoom names every video recording in
`an identical way, a simple online search can reveal a long stream of videos elsewhere
`that anyone can download and watch.”37
`35.
`Jackson said Zoom could do a better job at cautioning people to protect
`their videos. Zoom could also help by implementing design tweaks, such as naming
`videos in an unpredictable way to make them harder to find.38 In designing their service,
`Zoom’s engineers bypassed these common security features. “That style of operating
`simplicity has powered Zoom to become the most popular video-chat application in the
`United States, but it has also frustrated some security researchers who believe such
`shortcuts can leave users more vulnerable to hacks or abuse.”39
`
`
`
`
`35 Drew Harwell, Thousands of Zoom video calls left exposed on open Web, The Washington Post
`(April 3, 2020), https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-
`calls-left-exposed-open-web/.
`36 Id.
`37 Id.
`38 Id.
`39 Id.
`
`
`
`12
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 13 of 51
`
`
`
`
`
`4. Zoom meetings can be accessed by malicious, uninvited participants.
`36. Due to Zoom’s lax privacy controls, anyone can join a public Zoom
`meeting if they know the meeting number, and then use the file-share photo to post
`shocking images, or make disruptive sounds in the audio—a phenomenon dubbed
`“Zoombombing”. The uses of Zoombombing by nefarious actors are as varied as the
`imaginations of the hackers themselves. The incidents started as pranks or trolling, and
`have risen to the level of hate speech and harassment. The host of the Zoom meeting
`can mute or even kick out troublemakers, but they can come right back with new user
`IDs. Zoom made such so-called “Zoombombs” easy because its default settings did not
`require users to have a password to join.40
`37. An analysis by The New York Times found “153 Instagram accounts,
`dozens of Twitter accounts and private chats, and several active message boards on
`Reddit and 4Chan where thousands of people had gathered to organize Zoom
`harassment campaigns, sharing meeting passwords and plans for sowing chaos in public
`and private meetings.”41
`38. For example, on April 6, 2020, the first day the San Diego school district
`started its distance learning program, a high school biology class was Zoombombed. A
`person with the username “Dee Znuts” wore a red ski mask and a red sweatshirt during
`the meeting and made several hand signs in front of his computer’s camera, screenshots
`of the Zoom meeting show. Another unknown person displayed a photo of a bearded
`man on their camera and displayed a caption that claimed the biology teacher “Hates
`BlackPeople.” And a third unknown person typed the n-word in the group chat.42
`
`40 Taylor Lorenz and Davey Alba, ‘Zoombombing’ Becomes a Dangerous Organized Effort, The
`New York Times (April 3, 2020), https://www.nytimes.com/2020/04/03/technology/zoom-
`harassment-abuse-racism-fbi-warning.html.
`41 Id.
`42 Kristen Taketa, San Diego ‘Zoombombing’ incident highlights need for schools to use safety
`controls, The San Diego Union-Tribune (April 8, 2020),
`https://www.sandiegouniontribune.com/news/education/story/2020-04-08/san-diego-zoombombing-
`incident-highlights-need-for-schools-to-use-safety-controls.
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`13
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 14 of 51
`
`
`
`
`
`39. On March 29, 2020, during a call among members of the Concordia
`Forum, a global network of Muslim leaders, about maintaining spirituality and wellness
`during the coronavirus crisis, a cursor began to draw a racial slur across one of the
`slides. The infiltrator then began to screen-share a pornographic video while repeating
`the racial epithet verbally.43
`40. Harassers have begun to use every feature of Zoom’s platform for abuse,
`including using the app’s custom background feature to project a GIF of a person
`drinking to participants in an Alcoholics Anonymous meeting, and its annotation feature
`to write racist messages in a meeting of the American Jewish Committee in Paris.44
`41. The frequency and reach of the incidents on Zoom prompted the F.B.I. to
`issue a warning on March 30, 2020, singling out Zoom and stating that it had “received
`multiple reports of conferences being disrupted by pornographic or hate images and
`threatening language” nationwide.45
`42. To avoid Zoombombing, Zoom advises meeting hosts to set up “waiting
`rooms.” A waiting room keeps participants on hold until a host lets them in, either all
`at once or one at a time. However, The Citizen Lab said it found a serious security issue
`with Zoom waiting rooms, and advised hosts and participants to not use them for now.
`The Citizen Lab is not disclosing the details of the waiting room flaw because the issue
`presents a risk to users, and it did not want the issue to be abused before Zoom could
`fix it, but has told Zoom of the flaw.46
`43. Moreover, nefarious actors can easily find open meetings to harass users
`by rapidly cycling through possible Zoom meeting IDs, a security researcher told
`
`
`
`43 Id.
`44 Id.
`45 Kristen Setera, FBI Wans of Teleconferencing and Online Classroom Hijacking During COVID-
`19 Pandemic, FBI Boston (March 30, 2020), https://www.fbi.gov/contact-us/field-
`offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-
`during-covid-19-pandemic.
`46 The Citizen Lab, supra note 27.
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`14
`
`

`

`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 15 of 51
`
`
`
`
`security blogger Brian Krebs.47 The researcher got past Zoom’s meeting-scan blocker
`by running queries through Tor, which randomized his IP address. It’s a variation on
`“war driving” by randomly dialing telephone numbers to find open modems in the dial-
`up days. The researcher told Krebs that he could find about 100 open Zoom meetings
`every hour with the tool, and that “having a password enabled on the [Zoom] meeting,”
`which is not the default, “is the only thing that defeats it.”
`5. Zoom meeting chats don’t stay private and are not secure.
`44. During meetings, Zoom ostensibly allows users to message privately
`amongst each other through a private window in the meeting’s chat app. But
`unbeknownst to those users, their conversations are not private and will be visible in
`the end-of-meeting transcript the host receives, thus allowing the host to see the
`discussion had during the supposedly private side-meeting.48
`45.
`In addition, during side chats, participants can send text-based messages
`and post web l

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket