`
`
`
`Jason S. Hartley (SBN 192514)
`HARTLEY LLP
`101 West Broadway, Suite 820
`San Diego, California 92101
`Telephone: 619-400-5822
`hartley@hartleyllp.com
`Norman E. Siegel (pro hac vice forthcoming)
`J. Austin Moore (pro hac vice forthcoming)
`STUEVE SIEGEL HANSON LLP
`460 Nichols Road, Suite 200
`Kansas City, Missouri 64112
`Telephone: 816-714-7100
`siegel@stuevesiegel.com
`moore@stuevesiegel.com
`
`
`
`
`
`
`Plaintiffs,
`
`v.
`
`CLASS ACTION COMPLAINT
`AND DEMAND FOR JURY TRIAL
`
`1. Violation of California’s Unfair
`Competition Law
`2. Breach of Implied Contract
`3. Violation of California’s
`Consumer Privacy Act
`4. Violation of California’s
`Consumer Legal Remedies Act
`5. Unjust Enrichment/Quasi-
`Contract
`6. Declaratory Judgment
`7. Negligence
`8. Invasion of Privacy (Public
`Disclosure of Private Facts)
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`
`
` Case No. ______________
`TESHA KONDRAT, GAVIN WOLFE, and
`
`CHANELLE MURPHY, individually and
`on behalf of all others similarly situated,
`
`
`
`
`
`
`ZOOM VIDEO COMMUNICATIONS,
`INC.,
`
`
`
`
`
`Defendant.
`
`
`
`
`
`1
`
`CLASS ACTION COMPLAINT
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 2 of 51
`
`
`
`
`
`Plaintiffs Tesha Kondrat, Gavin Wolfe, and Chanelle Murphy, individually and
`on behalf of all persons similarly situated, bring this Class Action Complaint against
`Defendant Zoom Video Communications, Inc. (“Defendant” or “Zoom”), based upon
`personal knowledge with respect to themselves, and on information and belief derived
`from investigation of counsel and review of public documents as to all other matters.
`INTRODUCTION
`1.
`“I really messed up.” That’s what Zoom’s chief executive officer (CEO)
`Eric Yuan admitted on April 4, 2020, after dozens of security and privacy flaws had
`been exposed in his company’s wildly popular video-conferencing platform Zoom. But
`Mr. Yuan’s admission comes too late for the millions of individuals who already
`downloaded and utilized the Zoom platform, unknowingly exposing themselves to
`sweeping privacy issues that could place them at risk of harm for years to come. As Mr.
`Yuan soberly acknowledged: “This kind of thing shouldn’t have happened.”
`2.
`Zoom is a video communications provider, offering a cloud platform for
`video and audio conferencing, collaboration, chat and webinars. Its meteoric rise from
`a startup with 40 engineers in 2011 to its $20 billion initial public offering in 2019 was
`celebrated, and its trajectory during the COVID-19 pandemic has exponentially
`increased as the homebound population uses it as their business and social lifeline. But
`Zoom’s assent came at the expense of consumers’ privacy, as it prioritized its breakneck
`growth above the security of consumers’ data and privacy.
`3.
`Zoom’s sudden ubiquitous presence in the lives of Americans forced to
`stay at home and limit face-to-face communications has exposed numerous deficiencies
`in the technology’s data privacy and security, with new problems coming to light as
`each day passes. Zoom is now playing catch-up to fix each problem as it arises, but it
`appears to always be one step behind. By using Zoom’s rushed-to-market technologies,
`consumers’ private communications and personally-identifying information and data
`are being exposed to third-parties, both intentionally by Zoom, and maliciously by
`nefarious actors exploiting flaws in Zoom’s data security.
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`2
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 3 of 51
`
`
`
`
`
`4.
`As a result of Zoom’s intentional and negligent data security failures,
`Plaintiffs’ and Class Members’ personal information has been exposed and is at a
`significant risk of further exposure, and their privacy-rights have been violated.
`Plaintiffs bring this lawsuit on behalf of themselves and other similarly-situated users
`of Zoom’s technologies to hold Zoom responsible for its deficient privacy and data
`security, stop Zoom from continuing to profit at the expense of consumers’ privacy and
`security, require that Zoom take all necessary measures to secure the privacy of user
`accounts and devices, and compensate Plaintiffs and Class Members for the damage
`that its acts and omissions have caused.
`PARTIES
`5.
`Plaintiff Tesha Kondrat is a resident and citizen of Los Angeles, California.
`She agreed to pay $14.99 per month for Zoom’s “Pro” video conferencing plan to
`communicate with family, friends, and business colleagues in the midst of the
`pandemic. At the time she began using Zoom’s products and services, she was not
`aware, and did not understand, that they included significant security-deficiencies that
`would result in the exposure and risk of exposure of her private communications and
`personally-identifying information. If Ms. Kondrat had known what she now knows
`about Zoom’s data security and privacy deficiencies, she would not have purchased
`Zoom, or would not have paid as much for it.
`6.
`Plaintiff Gavin Wolfe is a resident and citizen of Sunnyvale, California.
`He agreed to pay $149.90 annually for Zoom’s “Pro” video conferencing plan to host a
`Bible study group in the midst of the pandemic. At the time he began using Zoom’s
`products and services, he was not aware, and did not understand, that they included
`significant security-deficiencies that would result in the exposure and risk of exposure
`of his private communications and personally-identifying information. If Mr. Wolfe had
`known what he now knows about Zoom’s data security and privacy deficiencies, he
`would not have purchased Zoom, or would not have paid as much for it.
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`3
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 4 of 51
`
`
`
`
`
`7.
`Plaintiff Chanelle Murphy is a resident and citizen of Sunnyvale,
`California. She downloaded and used the Zoom application for iOS. At the time she
`began using Zoom’s products and services, she did not know Zoom was sharing her
`personally-identifying information to third-parties, like Facebook, and did not consent
`to this practice. If Ms. Murphy had learned what she knows now about Zoom’s practice
`of sharing personally-identifying information with third-parties, like Facebook, she
`would not have downloaded and used the Zoom application.
`8.
`Defendant Zoom is a Delaware corporation with its principal place of
`business in San Jose, California.
`JURISDICTION AND VENUE
`9.
`This Court has subject matter jurisdiction over this action under 28 U.S.C.
`§ 1332, the Class Action Fairness Act, because: (i) there are 100 or more class members;
`(ii) the aggregate amount in controversy exceeds $5,000,000, exclusive of interest and
`costs; and (iii) there is minimal diversity because members of the Class are citizens of
`different states from Defendant.
`10. This Court has personal jurisdiction over Defendant because it maintains
`its headquarters in this District and operates in this District. Through its business
`operations in this District, Defendant intentionally avails itself of the markets within
`this District to render the exercise of jurisdiction by this Court just and proper.
`11. Venue is proper in this Court pursuant to 28 U.S.C. § 1391 because
`significant events giving risk to this case took place in this District, and because
`Defendant is authorized to conduct business in this District, has intentionally availed
`itself of the laws and markets within this District, does substantial business in this
`District, and is subject to personal jurisdiction in this District.
`STATEMENT OF FACTS
`12. Zoom is a cloud-based video communications platform that offers
`companies and consumers the ability to hold video conferences, webinars, conference
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`4
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 5 of 51
`
`
`
`
`calls, and chats. Zoom claims that it can provide “video for every need,” allowing users
`to “join anywhere, on any device.”1
`13. Businesses, healthcare organizations, educational
`institutions, and
`individuals use the Zoom platform for a variety of business and social purposes. Zoom’s
`use has exploded recently in response to the novel-coronavirus pandemic’s social-
`distancing requirements that are forcing more people to stay at home. “Where once it
`enabled client conferences or training webinars, it is now also a venue for virtual
`cocktail hours, Zumba classes and children’s birthday parties.”2 The number of daily
`meeting participants across Zoom’s services has increased from 10 million at the end
`of 2019 to 200 million now.3
`14. Zoom’s initial public offering last year was one of 2019’s most successful
`public offerings, making Zoom’s CEO, Eric Yuan, a billionaire.4 And while the stock
`market has seen its first bear market since the 2008 financial crisis,5 Zoom’s share price
`soared,6 that is, until recently when investors learned of its major security and privacy
`flaws.7
`
`
`1 Zoom Meetings & Chat, https://zoom.us/meetings (last visited April 12, 2020).
`2 Aaron Tilley and Robert McMillan, Zoom CEO: ‘I Really Messed Up’ on Security as Coronavirus
`Drove Video Too’s Appeal, The Wall Street Journal (April 4, 2020) (“I really messed up”),
`https://www.wsj.com/articles/zoom-ceo-i-really-messed-up-on-security-as-coronavirus-drove-
`video-tools-appeal-11586031129?st=jmn0xqiy1ea3c63&mod=openfreereg.
`3 Id.
`4 Id.
`5 Sergei Klebnikov, Bear Market, Dow Drops Over 1,400 Points, Ending Longest Bull Market in
`U.S. History, Forbes (Mar. 11, 2020),
`https://www.forbes.com/sites/sergeiklebnikov/2020/03/11/bear-market-dow-drops-over-1400-
`points-ending-longest-bull-market-in-us-history/#6e75715c6ae4.
`6 Rupert Neate, Zoom booms as demand for video-conferencing tech grows, The Guardian (Mar 31,
`2020), https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-
`conferencing-tech-grows-in-coronavirus-outbreak.
`7 Wallace Witkowski, Zoom Video stock slides as much as 15% after analyst joins in backlash on
`valuation fears, Market Watch (April 6, 2020), https://www.marketwatch.com/story/zoom-video-
`stock-slides-as-much-as-15-after-analyst-joins-in-backlash-on-valuation-fears-2020-04-06.
`
`
`
`5
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 6 of 51
`
`
`
`
`
`15. Zoom understands that its users want their private meetings to remain
`private, and their personal information secured, touting its “end-to-end encryption for
`all meetings, role-based user security, password protection, waiting rooms, and place
`attendee on hold,” as measures to allow users to “meet securely.”8 Zoom promises its
`customers that “we take security seriously and we are proud to exceed industry
`standards when it comes to your organizations communications.”9 It further promises
`that it “is committed to protecting your privacy,” and claims it has “designed policies
`and controls to safeguard the collection, use, and disclosure of your information.”10
`According to Zoom, it “places privacy and security as the highest priority in the
`lifecycle operations of our communications infrastructure.”11
`16. Plaintiffs and Class Members place significant value in data security.
`According to a recent survey conducted by cyber-security company FireEye,
`approximately 50% of consumers consider data security to be a main or important
`consideration when making purchasing decisions and nearly the same percentage would
`be willing to pay more in order to work with a provider that has better data security.
`Likewise, 70% of consumers would provide less personal information to organizations
`that do not secure their personal data.12
`17. Because of the value consumers place on data privacy and security,
`companies with robust data security practices can command higher prices than those
`who do not. Indeed, if consumers did not value their data security and privacy, Zoom
`
`
`8 Zoom Security Guide (April 2020), https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
`(last visited April 12, 2020).
`9 Security at Zoom, https://zoom.us/security (last visited April 12, 2020).
`10 Id.
`11 See Zoom Security Guide, supra note 8.
`12 FireEye, Beyond the Bottom Line: The Real Cost of Data Breaches (May 2016),
`https://www.fireeye.com/blog/executive-perspective/2016/05/beyond_the_bottomli.html (last
`visited April 12, 2020).
`
`
`
`6
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 7 of 51
`
`
`
`
`would have no reason to tout its data security and privacy efforts to their actual and
`potential customers.
`18. As it turns out, Zoom’s promises of privacy and security were false, and
`Zoom has been forced to walk many of these representations back as the company’s
`meteoric rise has put a spotlight on its technologies’ numerous security flaws.
`19. On April 1, 2020, Zoom’s Chief Executive Officer, Eric Yuan, admitted
`that the company had “fallen short of the community’s – and our own – privacy and
`security expectations,”13 acknowledging that Zoom “did not design the product with the
`foresight” to accommodate the number of people using and the variety of reasons it was
`being used. This, he said, “present[ed] us with challenges we did not anticipate when
`the platform was conceived.”14 On April 4, 2020, after more and more security and
`privacy flaws were exposed, Yuan admitted that he had “really messed up as CEO, and
`we need to win [users’] trust back,” stating “[t]his kind of thing shouldn’t have
`happened.”15
`A. Zoom prioritizes rapid growth over consumers’ security.
`20. Compared to other video-conferencing platforms, Zoom is easy to set up
`and use, and this ease-of-use has caused Zoom to take off while other platforms have
`not.16 “But there’s a downside.” Zoom’s ease-of-use comes at the expense of data
`security, as numerous security and privacy problems have been exposed in a matter of
`
`
`13 Eric S. Yuan, A Message to Our Users, Zoom Blog (April 1, 2020) (“April 1, 2020 Zoom Blog”),
`https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/.
`14 Id.
`15 See I Really Messed Up, supra note 2.
`16 Paul Wagenseil, Zoom privacy and security issues: Here’s everything that’s wrong (so far),
`Tom’s Guide (last updated April 10, 2020) (“Tom’s Guide”),
`https://www.tomsguide.com/news/zoom-security-privacy-woes.
`
`
`
`7
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 8 of 51
`
`
`
`
`weeks.17 The backlash against Zoom has already begun, with school districts,18
`governments,19 and major companies like SpaceX and Google20 banning the use of
`Zoom due to privacy and security concerns.
`21. As detailed below, as of the filing of this Complaint, more than a dozen
`security and privacy problems with Zoom’s technologies have come to light, exposing
`the company’s overall lax view of data security as it rushed to get its technology to
`market and to the front-of-the-line. Each of these problems shows that consumers’
`information and privacy is at risk and that Zoom’s representations of data security were
`false and misleading.
`1. Zoom blatantly misrepresents its encryption capabilities.
`22. Prior to April 2020, Zoom’s website and its security white paper claimed
`its meetings use “end-to-end encryption”—a method of secure communication that
`prevents third parties from accessing data while it is transferred from one end system
`or device to another. “End-to-end encryption” is well known in the technology field to
`designate data that can be sent from one user endpoint (like a desktop, laptop,
`smartphone or tablet) to another endpoint where the server delivering the information
`
`
`17 Id.
`18 Sean Keane, School districts reportedly ban Zoom over security issues, CNET (April 6, 2020),
`https://www.cnet.com/news/school-districts-reportedly-ban-zoom-over-security-issues/; John
`Geddie, Singapore stops teachers using Zoom app after ‘very serious incidents’, Reuters (April 9,
`2020), https://www.reuters.com/article/us-zoom-video-comm-privacy-singapore-
`idUSKCN21S0AH.
`19 Mary Hui, Taiwan is taking cybersecurity seriously by banning the use of Zoom in government
`(April 7, 2020), https://qz.com/1834151/taiwan-government-bans-official-use-of-zoom/; Ben
`Lovejoy, Governments restrict or ban the use of Zoom, as company faces lawsuit, 9to5mac (April 8,
`2020), https://9to5mac.com/2020/04/08/ban-the-use-of-zoom/; Kiran Stacey and Hannah Murphy,
`US Senate tells members not to use Zoom, ars technical (April 9, 2020),
`https://arstechnica.com/tech-policy/2020/04/us-senate-tells-members-not-to-use-zoom/.
`20 Munsif Vengattil, Joey Roulette, Elon Musk’s SpaceX bans Zoom over privacy concerns – memo,
`Reuters (April 1, 2020), https://www.reuters.com/article/us-spacex-zoom-video-commn/elon-
`musks-spacex-bans-zoom-over-privacy-concerns-memo-idUSKBN21J71H?il=0; Pranav Dixit,
`Google Has Banned Zoom Software From Employees’ Computers, Citing Security Vulnerabilities,
`BuzzFeed News (April 8, 2020), https://www.buzzfeednews.com/article/pranavdixit/google-bans-
`zoom?bftwnews&utm_term=4ldqpgc#4ldqpgc.
`
`
`
`8
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 9 of 51
`
`
`
`
`cannot decrypt the message. For example, when a user sends an Apple message from
`an iPhone to another iPhone user, Apple’s servers help the message get from one place
`to another, but they can’t read the content. So end-to-end encryption means that only
`the parties to the communication can access it, and not any middlemen that relay the
`communication through its servers. This is not the case with Zoom.
`23. Under pressure from investigative journalists at The Intercept, a Zoom
`representative admitted that Zoom’s definitions of “end-to-end” and “endpoint” are not
`the same as that commonly used in the technology industry.21 The Zoom spokesperson
`admitted “When we use the phrase ‘End to End,’ in our literature, it is in reference to
`the connection being encrypted from Zoom end point to Zoom end point.”22 Because it
`holds the encryption keys, Zoom can view users’ communications, and could share that
`information with others, for example, if presented with a warrant from law
`enforcement.23
`24. Notably, Apple’s FaceTime, which allows group videoconferencing,
`offers actual end-to-end encryption, so the technology is available and used by Zoom’s
`competitors.24 Of course that’s what Zoom users thought they were getting based on
`Zoom’s false representations that it too provided “end-to-end” encryption.
`25.
`In a blog post dated April 1, 2020, Zoom’s chief product officer Oded Gal
`admitted the company had misrepresented its level of encryption writing “we want to
`start by apologizing for the confusion we have caused by incorrectly suggesting that
`Zoom meetings were capable of using end-to-end encryption.”25 He further
`
`21 Micah Lee, Yael Grauer, Zoom Meeting Aren’t End-To-End Encrypted, Despite Misleading
`Marketing, The Intercept (Mar. 31, 2020), https://theintercept.com/2020/03/31/zoom-meeting-
`encryption/.
`22 Id.
`23 See Tom’s Guide, supra note 16.
`24 Id.
`25 Oded Gal, The Facts Around Zoom and Encryption for Meetings/Webinars, Zoom Blog (April 1,
`2020), https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-
`webinars/.
`
`
`
`9
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 10 of 51
`
`
`
`
`acknowledged: “We recognize that there is a discrepancy between the commonly
`accepted definition of end-to-end encryption and how we were using it.”26
`26. Not only was Zoom misleading consumers about its “end-to-end
`encryption” capabilities, but it also falsely represented the quality of its encryption
`algorithm. Zoom says it uses AES-256 encryption to encode video and audio data
`traveling between Zoom servers and Zoom users, but researchers at The Citizen Lab at
`the University of Toronto reported on April 3, 2020, that Zoom actually uses a weaker
`single AES-128 key in a home-grown “ECB mode”, which is not as secure as
`promised.27 “Even worse, Zoom uses an in-house implementation of encryption
`algorithm that preserves patterns from the original file. It’s as if someone drew a red
`circle on a gray wall, and then a censor painted over the red circle with a whi[t]e circle.
`You’re not seeing the original message, but the shape is still there.”28
`27.
`In a blog post on April 3, 2020, Zoom’s CEO Eric Yuan acknowledged the
`encryption issue but said only that “we recognize that we can do better with our
`encryption design” and “we expect to have more to share on this front in the coming
`days.”29
`2. The Chinese Government may have access to private information.
`28. The Citizen Lab report also revealed that several Zoom servers in China
`were issuing encryption keys to Zoom users even when all participants in the meeting
`were in North America.30
`
`
`
`26 Id.
`27 Bill Marczak and John Scott-Railton, Move Fast and Roll Your Own Crypto, A Quick Look at the
`Confidentiality of Zoom Meetings, The Citizen Lab (April 3, 2020) (“The Citizen Lab”),
`https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-
`zoom-meetings/.
`28 See Tom’s Guide, supra note 16.
`29 Eric S. Yuan, Response to Research From University of Toronto’s Citizen Lab Zoom Blog (April
`3, 2020) (“April 3, 2020 Zoom Blog”), https://blog.zoom.us/wordpress/2020/04/03/response-to-
`research-from-university-of-torontos-citizen-lab/.
`30 The Citizen Lab, supra note 27.
`
`
`
`10
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 11 of 51
`
`
`
`
`
`29. While Zoom is a Silicon Valley-based company, it owns three companies
`in China through which at least 700 employees are paid to develop Zoom’s software.
`According to the Citizen Lab: “This arrangement is ostensibly an effort at labor
`arbitrage: Zoom can avoid paying US wages while selling to US customers, thus
`increasing their profit margin. However, this arrangement may make Zoom responsive
`to pressure from Chinese authorities.”31
`30. Since Zoom servers can decrypt Zoom meetings while falsely claiming
`“end-to-end encryption”, and Chinese authorities can compel operators of Chinese
`servers to hand over data, “the Chinese government might be able to see your Zoom
`meetings.”32
`31.
`In his April 3, 2020 blog post, Zoom’s CEO Eric Yuan admitted this was
`a problem: “In our urgency to come to the aid of people around the world during this
`unprecedented pandemic, we added server capacity and deployed it quickly — starting
`in China, where the outbreak began. In that process, we failed to fully implement our
`usual geo-fencing best practices. As a result, it is possible certain meetings were allowed
`to connect to systems in China, where they should not have been able to connect.”33
`Zoom claims to have fixed this problem.34
`3. Zoom meeting recordings can be found online.
`32. Zoom meeting recordings saved to the meeting host’s computer are
`automatically assigned a certain type of default file name. Patrick Jackson, the
`technology chief of the privacy-software company Disconnect and a former researcher
`for the National Security Agency, searched unprotected cloud servers to see if anyone
`
`
`
`31 Id.
`32 See Tom’s Guide, supra note 16.
`33 April 3, 2020 Zoom Blog, supra note 29.
`34 Id.
`
`
`
`11
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 12 of 51
`
`
`
`
`had uploaded Zoom recordings and found more than 15,000 unprotected examples,
`according to The Washington Post.35
`33. Videos viewed by The Washington Post included “one-on-one therapy
`sessions; a training orientation for workers doing telehealth calls that included people’s
`names and phone numbers; small-business meetings that included private company
`financial statements; and elementary school classes, in which children’s faces, voices
`and personal details were exposed. Many of the videos include personally identifiable
`information and deeply intimate conversations, recorded in people’s homes. Other
`videos include nudity, such as one in which an aesthetician teaches students how to give
`a Brazilian wax.”36
`34. As explained by The Post, “because Zoom names every video recording in
`an identical way, a simple online search can reveal a long stream of videos elsewhere
`that anyone can download and watch.”37
`35.
`Jackson said Zoom could do a better job at cautioning people to protect
`their videos. Zoom could also help by implementing design tweaks, such as naming
`videos in an unpredictable way to make them harder to find.38 In designing their service,
`Zoom’s engineers bypassed these common security features. “That style of operating
`simplicity has powered Zoom to become the most popular video-chat application in the
`United States, but it has also frustrated some security researchers who believe such
`shortcuts can leave users more vulnerable to hacks or abuse.”39
`
`
`
`
`35 Drew Harwell, Thousands of Zoom video calls left exposed on open Web, The Washington Post
`(April 3, 2020), https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-
`calls-left-exposed-open-web/.
`36 Id.
`37 Id.
`38 Id.
`39 Id.
`
`
`
`12
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 13 of 51
`
`
`
`
`
`4. Zoom meetings can be accessed by malicious, uninvited participants.
`36. Due to Zoom’s lax privacy controls, anyone can join a public Zoom
`meeting if they know the meeting number, and then use the file-share photo to post
`shocking images, or make disruptive sounds in the audio—a phenomenon dubbed
`“Zoombombing”. The uses of Zoombombing by nefarious actors are as varied as the
`imaginations of the hackers themselves. The incidents started as pranks or trolling, and
`have risen to the level of hate speech and harassment. The host of the Zoom meeting
`can mute or even kick out troublemakers, but they can come right back with new user
`IDs. Zoom made such so-called “Zoombombs” easy because its default settings did not
`require users to have a password to join.40
`37. An analysis by The New York Times found “153 Instagram accounts,
`dozens of Twitter accounts and private chats, and several active message boards on
`Reddit and 4Chan where thousands of people had gathered to organize Zoom
`harassment campaigns, sharing meeting passwords and plans for sowing chaos in public
`and private meetings.”41
`38. For example, on April 6, 2020, the first day the San Diego school district
`started its distance learning program, a high school biology class was Zoombombed. A
`person with the username “Dee Znuts” wore a red ski mask and a red sweatshirt during
`the meeting and made several hand signs in front of his computer’s camera, screenshots
`of the Zoom meeting show. Another unknown person displayed a photo of a bearded
`man on their camera and displayed a caption that claimed the biology teacher “Hates
`BlackPeople.” And a third unknown person typed the n-word in the group chat.42
`
`40 Taylor Lorenz and Davey Alba, ‘Zoombombing’ Becomes a Dangerous Organized Effort, The
`New York Times (April 3, 2020), https://www.nytimes.com/2020/04/03/technology/zoom-
`harassment-abuse-racism-fbi-warning.html.
`41 Id.
`42 Kristen Taketa, San Diego ‘Zoombombing’ incident highlights need for schools to use safety
`controls, The San Diego Union-Tribune (April 8, 2020),
`https://www.sandiegouniontribune.com/news/education/story/2020-04-08/san-diego-zoombombing-
`incident-highlights-need-for-schools-to-use-safety-controls.
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`13
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 14 of 51
`
`
`
`
`
`39. On March 29, 2020, during a call among members of the Concordia
`Forum, a global network of Muslim leaders, about maintaining spirituality and wellness
`during the coronavirus crisis, a cursor began to draw a racial slur across one of the
`slides. The infiltrator then began to screen-share a pornographic video while repeating
`the racial epithet verbally.43
`40. Harassers have begun to use every feature of Zoom’s platform for abuse,
`including using the app’s custom background feature to project a GIF of a person
`drinking to participants in an Alcoholics Anonymous meeting, and its annotation feature
`to write racist messages in a meeting of the American Jewish Committee in Paris.44
`41. The frequency and reach of the incidents on Zoom prompted the F.B.I. to
`issue a warning on March 30, 2020, singling out Zoom and stating that it had “received
`multiple reports of conferences being disrupted by pornographic or hate images and
`threatening language” nationwide.45
`42. To avoid Zoombombing, Zoom advises meeting hosts to set up “waiting
`rooms.” A waiting room keeps participants on hold until a host lets them in, either all
`at once or one at a time. However, The Citizen Lab said it found a serious security issue
`with Zoom waiting rooms, and advised hosts and participants to not use them for now.
`The Citizen Lab is not disclosing the details of the waiting room flaw because the issue
`presents a risk to users, and it did not want the issue to be abused before Zoom could
`fix it, but has told Zoom of the flaw.46
`43. Moreover, nefarious actors can easily find open meetings to harass users
`by rapidly cycling through possible Zoom meeting IDs, a security researcher told
`
`
`
`43 Id.
`44 Id.
`45 Kristen Setera, FBI Wans of Teleconferencing and Online Classroom Hijacking During COVID-
`19 Pandemic, FBI Boston (March 30, 2020), https://www.fbi.gov/contact-us/field-
`offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-
`during-covid-19-pandemic.
`46 The Citizen Lab, supra note 27.
`
`1 2 3 4 5 6 7 8 9
`1 2 3 4 5 6 7 8 9
`
`10
`10
`11
`11
`12
`12
`13
`13
`14
`14
`15
`15
`16
`16
`17
`17
`18
`18
`19
`19
`20
`20
`21
`21
`22
`22
`23
`23
`24
`24
`25
`25
`26
`26
`27
`27
`28
`28
`
`
`
`14
`
`
`
`Case 5:20-cv-02520-LHK Document 1 Filed 04/13/20 Page 15 of 51
`
`
`
`
`security blogger Brian Krebs.47 The researcher got past Zoom’s meeting-scan blocker
`by running queries through Tor, which randomized his IP address. It’s a variation on
`“war driving” by randomly dialing telephone numbers to find open modems in the dial-
`up days. The researcher told Krebs that he could find about 100 open Zoom meetings
`every hour with the tool, and that “having a password enabled on the [Zoom] meeting,”
`which is not the default, “is the only thing that defeats it.”
`5. Zoom meeting chats don’t stay private and are not secure.
`44. During meetings, Zoom ostensibly allows users to message privately
`amongst each other through a private window in the meeting’s chat app. But
`unbeknownst to those users, their conversations are not private and will be visible in
`the end-of-meeting transcript the host receives, thus allowing the host to see the
`discussion had during the supposedly private side-meeting.48
`45.
`In addition, during side chats, participants can send text-based messages
`and post web l