`
`
`
`ROBERT C. SCHUBERT (No. 62684)
`WILLEM F. JONCKHEER (No. 178748)
`NOAH M. SCHUBERT (No. 278696)
`KATHRYN Y. MCCAULEY(No. 265803)
`SCHUBERT JONCKHEER & KOLBE LLP
`Three Embarcadero Center, Suite 1650
`San Francisco, California 94111
`Telephone:
` (415) 788-4220
`Facsimile:
` (415) 788-0161
`rschubert@sjk.law
`wjonckheer@sjk.law
`nschubert@sjk.law
`kmccauley@sjk.law
`
`Attorneys for Plaintiff and the Putative Class
`
`
`
`UNITED STATES DISTRICT COURT
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`SAN JOSE DIVISION
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`
`
`
`
`
`
`
`
`RACHEL GREENBAUM, individually and on
`behalf of all others similarly situated,
`
`
`
`
`
`ZOOM VIDEO COMMUNICATIONS, Inc.
`
`
`
`
`Plaintiff,
`
`
`
`v.
`
`
`
`Defendant.
`
`Case No.
`
`CLASS ACTION COMPLAINT
`
`DEMAND FOR JURY TRIAL
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 2 of 20
`
`
`
`Upon personal knowledge as to her own acts, and based upon her investigation, the
`
`investigation of counsel, and information and belief as to all other matters, Plaintiff Rachel
`
`Greenbaum (“Greenbaum”), on behalf of herself and all others similarly situated, alleges as
`
`follows:
`
`INTRODUCTION
`
`1.
`
`This is a class action brought on behalf of persons in the United States who used the
`
`Zoom Video Communications, Inc. (“Zoom”) application.
`
`2.
`
`Defendant Zoom provides video communications services using a cloud platform
`
`for video and audio conferencing, collaboration, chat, and webinars. These services are accessible
`
`through a desktop application available for Windows and macOS and a mobile application
`
`available for Android and iOS. Each Zoom application permits a user to join a meeting with or
`
`without signing in with a Zoom account.
`
`3.
`
`As alleged herein, Zoom has been slow to address significant security flaws and
`
`vulnerabilities in its platform. Software design choices and security flaws have made Zoom users
`
`vulnerable to harassment and privacy invasions. Furthermore, Zoom has falsely and misleadingly
`
`represented the security and privacy capabilities of its platform.
`
`4.
`
`This class action is brought on behalf of Zoom users to prevent Zoom from
`
`continuing these deceptive, invasive, and unlawful business practices and further seeks an award of
`
`damages (actual, statutory, and/or punitive), reasonable attorneys’ fees and other litigation costs
`
`reasonably incurred, and such other preliminary and equitable relief appropriate under the
`
`circumstances to remedy Zoom’s wrongdoing alleged herein.
`
`PARTIES
`
`5.
`
`Plaintiff Greenbaum is, and at all times relevant hereto has been, a citizen of the
`
`State of California. Prior to installing the Zoom application, Greenbaum believed that Zoom
`
`implemented adequate and proper security measures to protect users’ privacy and secure
`
`videoconferences. Prior to installing the application, Greenbaum was not aware that Zoom would
`
`share her personal information with third parties. If Greenbaum had known about Zoom’s failure
`
`
`CLASS ACTION COMPLAINT
`
`1
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 3 of 20
`
`
`
`to implement adequate and proper security measures or Zoom’s practice of sharing her personal
`
`information with third parties, Greenbaum would not have installed the application.
`
`6.
`
`Defendant Zoom is a Delaware corporation, with its principal executive offices
`
`located at 55 Almaden Boulevard, 6th Floor, San Jose, California 95113. Zoom provides video-
`
`communications services through a cloud-based platform. The cornerstone of Zoom’s platform is
`
`Zoom Meetings, a service which provides meeting participants with video, voice, chat, and content
`
`sharing across mobile devices, desktops, laptops, telephones, and conference room systems. These
`
`services are accessible through a desktop application available for Windows and macOS and a
`
`mobile application available for Android and iOS. Each Zoom application permits a user to join a
`
`meeting with or without signing in with a Zoom account. Zoom also offers services such as Zoom
`
`Phone, Zoom Chat, Zoom Room, Zoom Conference Room Connector, Zoom Video Webinars, and
`
`Zoom for Developers.
`
`JURISDICTION AND VENUE
`
`7.
`
`This Court has original jurisdiction over this action pursuant to the Class Action
`
`Fairness Act, 28 U.S.C. § 1332(d), because at least one class member is a citizen of a state other
`
`than that of Zoom, and the aggregate amount in controversy exceeds $5,000,000, exclusive of
`
`interest and costs.
`
`8.
`
`This Court has personal jurisdiction over Zoom pursuant 18 U.S.C. § 1965(a)
`
`because Zoom maintains its headquarters in San Jose, California, and thus resides, is found, and
`
`transacts its affairs in this District.
`
`9.
`
`Venue is proper in this District under 28 U.S.C. § 1391 because Zoom maintains its
`
`headquarters in this District, Zoom conducts substantial business in this District, Zoom has
`
`intentionally availed itself of the laws and markets of this District, and Zoom is subject to personal
`
`jurisdiction in this District.
`
`INTRADISTRICT ASSIGNMENT
`
`10.
`
`Zoom maintains its headquarters in San Jose, California, which is within the County
`
`of Santa Clara. As such, this action may be properly assigned to the San Jose division of this Court
`
`pursuant to Civil Local Rule 3-2(e).
`
`
`CLASS ACTION COMPLAINT
`
`2
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 4 of 20
`
`
`
`FACTUAL ALLEGATIONS
`
`Zoom Has Prioritized Usership Growth Over Security and Privacy Protections
`
`11. Zoom provides video-communications services through a cloud-based platform.
`
`The cornerstone of Zoom’s platform is Zoom Meetings, a service which provides meeting
`
`participants with video, voice, chat, and content sharing across mobile devices, desktops, laptops,
`
`telephones, and conference room systems. These services are accessible through a desktop
`
`application available for Windows and macOS and a mobile application available for Android and
`
`iOS. Each Zoom application permits a user to join a meeting with or without signing in with a
`
`Zoom account.
`
`12.
`
`In recent months Zoom has experienced exponential growth in usership stemming
`
`from the recent outbreak of the COVID-19 virus and widespread shelter-at-home orders. As
`
`hundreds of millions of people in the United States have been directed to stay at home, Zoom has
`
`emerged as the go-to business and social platform for video conferences, increasingly used by
`
`many for work, education, telemedicine, and recreational purposes. Four months ago, Zoom was a
`
`niche business tool with 10 million daily users.1 Today it has emerged as a fundamental online
`
`utility, with 300 million daily users.2 As of April 2, 2020, Zoom’s cloud-meetings service was the
`
`top free application in the Apple App Store in 64 countries, including the United States.3 In March
`
`of 2020, nearly 600,000 people downloaded the application in a single day.4
`
`13. As demand for the Zoom application has surged, the company has been slow to
`
`address significant security flaws and vulnerabilities in its platform. Software design choices and
`
`security flaws have made Zoom users vulnerable to harassment and privacy invasions. According
`
`to some privacy experts, the company has valued the ease of use and fast growth over instituting
`
`default user protections.5
`
`
`1 https://www.nytimes.com/2020/04/08/business/zoom-video-privacy-security-coronavirus.html (last visited April 23,
`2020)
`2 https://www.nytimes.com/reuters/2020/04/23/business/23reuters-zoom-video-commn-encryption.html (last visited
`April 23, 2020).
`3 https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html (last visited April 23, 2020)
`4 https://www.nytimes.com/2020/04/20/technology/zoom-security-dropbox-hackers.html (last visited April 23, 2020)
`5 https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html (last visited April 23, 2020)
`
`CLASS ACTION COMPLAINT
`
`3
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 5 of 20
`
`
`
`14. These privacy matters have garnered the attention of multiple state attorneys
`
`general, who have banded together to scrutinize the company’s privacy and security practices.6 For
`
`instance, in a letter to the company dated March 30, 2020, New York Attorney General Letitia
`
`James expressed her concern that “Zoom’s existing security practices might not be sufficient to
`
`adapt to the recent and sudden surge in both volume and sensitivity of data being passed through
`
`its network.”7
`
`15. Zoom was a service originally designed for businesses—to make it easy for
`
`company employees, sales representatives, and clients to connect through virtual meetings. As
`
`growth has increased exponentially and usership has diversified in clientele and function, however,
`
`the company has not implemented adequate security and privacy measures to protect users. In an
`
`interview with the New York Times on April 7, 2020, Eric Yuan, Zoom’s Chief Executive Officer
`
`admitted that his “greatest regret was not recognizing the possibility that one day Zoom might be
`
`used not just by digitally savvy businesses but also by tech neophytes.”8 “We were focusing on
`
`business enterprise customers,” Mr. Yuan said. “However, we should have thought about ‘What if
`
`some end user started using Zoom’” for nonbusiness events, “maybe for family gatherings, for
`
`online weddings.” He added: “The risks, the misuse, we never thought about that.”9
`
`16. These security flaws have recently been highlighted by the prevalence of
`
`“zoombombing”: the malicious practice of hijacking Zoom meetings with displays such as
`
`pornography, white supremacist imagery, and threatening language. Zoom’s lax privacy and
`
`security measures have enabled internet trolls to hijack meetings and harass users.
`
`17. According to Jonathan Mayer, an assistant professor of computer science and public
`
`affairs at Princeton University, “It’s a combination of sloppy engineering and prioritizing
`
`growth.”10 Indeed, Zoom CEO Eric Yuan admitted to the New York Times that “Zoom never felt
`
`
`6 https://www.politico.com/news/2020/04/03/multiple-state-ags-looking-into-zooms-privacy-practices-162743 (last
`visited April 23, 2020)
`7 https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html (last visited April
`23, 2020)
`8 https://www.nytimes.com/2020/04/08/business/zoom-video-privacy-security-coronavirus.html (last visited April 23,
`2020)
`9 Id.
`10 https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html (last visited April 23, 2020)
`
`CLASS ACTION COMPLAINT
`
`4
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 6 of 20
`
`
`
`the need until now to rigorously examine the platform’s privacy and security implications for
`
`consumers.”11 Mr. Yuan further admitted that his drive to open access to Zoom during the
`
`pandemic sometimes moved faster than the platform’s privacy protections.12 As a consequence,
`
`Zoom users have experienced substantial security and privacy invasions.
`
`18. These security and privacy invasions are so pervasive that many governments,
`
`businesses, and educational entities have banned use of the application. These entities include—
`
`among others—the U.S. Senate13, Google14, and many school districts throughout the country.15
`
`Zoom Fails to Notify Users That It Shares User Information with Facebook
`
`19.
`
`According to a Motherboard report published on March 26, 2020, the iOS version
`
`of the Zoom application has sent user data analytics to Facebook, without user notification or
`
`consent.16 Zoom shares this information with Facebook even where Zoom users do not have a
`
`Facebook account.17
`
`20.
`
`Although Zoom’s user privacy policy states that the company may collect user’s
`
`“Facebook profile information (when you use Facebook to log-in to our Products or to create an
`
`account for our Products),” the policy fails to disclose that when downloading and opening the
`
`application, Zoom connects to Facebook’s Graph API.18 The Graph API is the main way
`
`developers share information with Facebook. According to Motherboard, the Zoom application
`
`notifies Facebook when the user opens the application and shares details with Facebook such as
`
`the user’s device, time zone, city, and phone carrier. A unique advertiser identifier is then created
`
`by the user’s device which companies can use to target a user with advertisements. In a statement
`
`
`11 https://www.nytimes.com/2020/04/08/business/zoom-video-privacy-security-coronavirus.html (last visited April 23,
`2020)
`12 Id.
`13 https://www.reuters.com/article/us-zoom-video-commn-privacy-senate/u-s-senate-tells-members-to-avoid-zoom-
`over-data-security-concerns-ft-idUSKCN21R0VU (last visited April 23, 2020)
`14 https://www.forbes.com/sites/johanmoreno/2020/04/09/google-bans-employees-from-using-zoom/#4846a418770f
`(last visited April 23, 2020)
`15 https://www.engadget.com/2020-04-05-school-districts-ban-zoom-over-security.html (last visited April 23, 2020)
`16 https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-
`facebook-account (last visited April 23, 2020)
`17 Id.
`18 Id.
`
`CLASS ACTION COMPLAINT
`
`5
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 7 of 20
`
`
`
`to Motherboard, Zoom confirmed that it had engaged in this data collection practice.19
`
`21.
`
`Zoom’s privacy policy failed to notify users about these data collection procedures
`
`and implied that only Facebook profile information would be collected when users logged into
`
`Zoom through their Facebook accounts. Zoom’s failure to provide accurate disclosures to its users
`
`about sharing their data and Zoom’s failure to implement adequate security protocols violates
`
`users’ privacy and is deceptive and misleading.
`
`Zoom Falsely Advertises That Its Platform is End-to-End Encrypted
`
`22.
`
`Zoom markets and represents to users that its platform is end-to-end encrypted
`
`when, in fact, it is not. End-to-end encryption (“E2E encryption”) is widely understood as the most
`
`private form of internet communication, protecting conversations from all outside parties.20 In E2E
`
`encryption, data cannot be accessed by anyone other than the true sender and recipient.
`
`23.
`
`Zoom markets and represents on its website, in its security white paper, and on its
`
`user interface within the application that its service is end-to-end encrypted. However, Zoom’s
`
`platform is transport encrypted, which is significantly different than end-to-end encryption.21 In
`
`fact, according to a Zoom spokesperson and despite the company’s representations, “currently, it is
`
`not possible to enable E2E encryption for Zoom video meetings.”22
`
`24.
`
`In transport encryption, the connection between the Zoom application on a user’s
`
`computer or phone and the Zoom server is encrypted in the same way the connection between a
`
`web browser and online post is encrypted, i.e. the technology that webservers use to secure HTTPs
`
`websites.23 Unlike E2E encryption, in transport encryption the video and audio content is not fully
`
`private; it can be viewed and accessed by Zoom. Thus, when a Zoom user enters a meeting, the
`
`content of that meeting may stay private from anyone spying on wi-fi, but it is not private from
`
`Zoom and its representatives.
`
`25. Without E2E encryption, Zoom has the technical ability to spy on private video
`
`
`
`19 Id.
`20 https://theintercept.com/2020/03/31/zoom-meeting-encryption/ (last visited April 23, 2020)
`21 Id.
`22 Id.
`23 Id.
`
`CLASS ACTION COMPLAINT
`
`6
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 8 of 20
`
`
`
`meetings and could be compelled to hand over recordings of meetings to governments or law
`
`enforcement. These risks may be magnified by Zoom’s use of data centers outside the United
`
`States. On April 3, 2020, University of Toronto’s Citizen Lab reported that Zoom used servers in
`
`China to deliver data packets even when all meeting participants were located outside of China.24
`
`The lab raised concerns that sending encryption keys via servers in China could leave Zoom
`
`vulnerable to requests from Chinese authorities to disclose those keys.25
`
`Zoom Contains a Feature that Secretly Displayed Data From Users’ LinkedIn Profiles
`
`26.
`
`According to an analysis by the New York Times, Zoom contains a data-mining
`
`feature that allowed some participants to surreptitiously access the LinkedIn profile data of other
`
`users—without the users’ permission or knowledge that someone was accessing that information.26
`
`According to the analysis, when someone signed in to a Zoom meeting, Zoom’s software
`
`automatically sent the user’s names and email address to a company system it used to match the
`
`user with LinkedIn profiles.
`
`27.
`
`This data-mining feature was available to Zoom users who subscribed to a LinkedIn
`
`service for sales prospecting, called LinkedIn Sales Navigator. Once a Zoom user enabled the
`
`feature, that person could quickly and covertly view LinkedIn profile data—such as locations,
`
`employer names, and job titles—of meeting attendees by clicking on a LinkedIn icon next to the
`
`user’s name. This was true even when the user signed-in to the meeting under a pseudonym such
`
`as “anonymous.” According to the New York Times’ analysis, despite a user’s attempt to remain
`
`anonymous, the data-mining tool could still instantly match a user to his or her Linked in Profile,
`
`in doing so disclosing the user’s real name to other users and overriding that user’s efforts to
`
`remain private.27
`
`28.
`
`Neither Zoom’s privacy policy nor its terms of service specifically disclosed that
`
`Zoom could covertly display meeting participants LinkedIn data to other users. In fact, the user
`
`
`24 https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
`(last visited April 23, 2020)
`25 Id.
`26 https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html (last visited April 23, 2020)
`27 Id.
`
`CLASS ACTION COMPLAINT
`
`7
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 9 of 20
`
`
`
`instructions on Zoom suggest just the opposite: that meeting attendees may control who sees their
`
`real names. One section of Zoom’s help center said, “Enter the meeting ID number and your
`
`display name. If you’re signed in, change your name if you don’t want your default name to
`
`appear.”28
`
`29.
`
`The New York Times analysis also revealed that Zoom automatically sent
`
`participants’ personal information to its data-mining tool even when no one in a meeting had
`
`activated the feature. In response to the report, Zoom said it would disable the data-mining feature
`
`that could be used to snoop on participants during meetings without their knowledge. In a related
`
`blog post, CEO Eric Yuan wrote that the company had removed the data-mining feature “after
`
`identifying unnecessary data disclosure.”29
`
`Security Flaws Enabled Hackers to Activate Zoom Users’ Webcams Without Permission
`
`30.
`
`According to some cybersecurity and privacy experts, the time for Zoom to reassess
`
`its privacy and security practices was last year when news reports revealed a security flaw in the
`
`Zoom platform that permitted cyber attackers to activate a user’s webcam without permission.30
`
`The flaw, revealed by security researcher Jonathan Lietschuh, persisted even when a user
`
`attempted to remove the application from the user’s computer.31 Researchers discovered that the
`
`Zoom application would secretly reinstall itself and remain vulnerable to unpermitted webcam
`
`access.32
`
`31.
`
`Zoom did not address the problem until after the Electronic Privacy Information
`
`Center, a public research center, filed a complaint about the company with the Federal Trade
`
`Commission.33 Similarly, approximately one year ago hackers revealed a major security
`
`vulnerability in Zoom’s software that could permit cyber attackers to covertly control certain
`
`
`
`28 Id.
`29 Id.
`30 https://www.nytimes.com/2020/04/08/business/zoom-video-privacy-security-coronavirus.html (last visited April 23,
`2020)
`31 https://www.vox.com/recode/2019/7/9/20687689/zoom-mac-vulnerability-medium-jonathan-leitschuh-camera (last
`visited April 23, 2020)
`32 Id.
`33 https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html (last visited April
`23, 2020)
`
`
`CLASS ACTION COMPLAINT
`
`8
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 10 of 20
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`users’ Mac computers. After being made aware of the issue, it took Zoom more than three months
`
`to remedy the security flaw. Zoom patched the vulnerability only after another hacker publicized a
`
`different security flaw with the same root cause.34
`
`32.
`
`Zoom itself admits that it has failed to meet the privacy and security expectations of
`
`its users. According to Zoom CEO Eric Yuan, “we recognize that we have fallen short of the
`
`community’s -- and our own -- privacy and security expectations.”35 This pattern of sloppy
`
`engineering and prioritizing growth over user security has seriously compromised the privacy of
`
`Zoom users. Zoom’s failure to take adequate measures to protect user security and privacy and its
`
`false and misleading statements regarding the company’s privacy practices are unlawful as set
`
`forth in the claims below.
`
`FRAUDULENT CONCEALMENT AND TOLLING
`
`33.
`
`The applicable statute of limitations are tolled because Zoom knowingly and
`
`actively concealed the facts alleged above. Until the revelations were made, Greenbaum and the
`
`Class members did not know and could not have known of the information essential to the pursuit
`
`of these claims through no fault of their own and not due to any lack of diligence on their part.
`
`CLASS ACTION ALLEGATIONS
`
`34.
`
`Greenbaum brings this action pursuant to Federal Rule of Civil Procedure 23(b)(2)
`
`and 23(b)(3) on behalf of herself and a class of similarly situated individuals defined as follows:
`
`
`
`All persons who used the Zoom application in the United States (including
`its states, districts, and territories) (the “Class”) during the applicable statute
`of limitations period.
`
`
`35.
`
`Additionally, or in the alternative, pursuant to Federal Rule of Civil Procedure
`
`23(a), 23(b)(2), or 23(b)(3), Plaintiff brings this action on behalf of herself and a class of similarly
`
`situated individuals defined as follows:
`
`
`All persons who used the Zoom application in the State of California (the “Subclass”)
`during the applicable statute of limitations period.
`
`
`
`34 https://www.nytimes.com/2020/04/20/technology/zoom-security-dropbox-hackers.html (last visited April 23, 2020)
`35 https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/ (last visited April 23, 2020)
`
`CLASS ACTION COMPLAINT
`
`9
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 11 of 20
`
`
`
`36.
`
`Excluded from the Class and Subclass are governmental entities, Zoom, any entity
`
`in which Zoom has a controlling interest, and Zoom’s officers, directors, affiliates, legal
`
`representatives, employees, co-conspirators, successors, subsidiaries, and assigns. Also excluded
`
`from the Class are any judges, justices, or judicial officers presiding over this matter and the
`
`members of their immediate families and judicial staff. This action is brought and may be properly
`
`maintained as a class action pursuant to Federal Rule of Civil Procedures 23(b)(2) and 23(b)(3),
`
`and satisfies the numerosity, commonality, typicality, adequacy, predominance, and superiority
`
`requirements of these rules.
`
`37.
`
`Numerosity Under Rule 23(a)(1). The Class is so numerous that the individual
`
`joinder of all members is impracticable, and the disposition of the claims of all Class members in a
`
`single action will provide substantial benefits to the parties and the Court. Greenbaum, on
`
`information and belief, alleges that the Class includes millions of persons.
`
`38.
`
`Commonality Under Rule 23(a)(2). Common legal and factual questions exist that
`
`predominate over any questions affecting only individual members. These common questions,
`
`which do not vary among Class members and which may be determined without reference to any
`
`Class member’s individual circumstances, include, but are not limited to:
`
`a)
`
`b)
`
`Whether Zoom owed a duty of care to the Class;
`
`Whether Greenbaum and the Class members have a reasonable expectation
`
`of privacy in the information collected by Zoom;
`
`c)
`
`Whether Zoom unlawfully disclosed users’ personally identifiable
`
`information;
`
`d)
`
`Whether Zoom’s representations and omissions regarding the privacy and
`
`security capabilities of its platform are false, deceptive, and misleading;
`
`e)
`
`Whether Zoom’s representations and omissions regarding the privacy and
`
`security capabilities of its platform are likely to deceive a reasonable consumer;
`
`f)
`
`Whether Zoom had knowledge that its representations and omissions in
`
`advertising, specifications, and/or informational materials were false, deceptive, and misleading;
`
`
`CLASS ACTION COMPLAINT
`
`10
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 12 of 20
`
`
`
`g)
`
`Whether Zoom’s conduct constitutes violations of the laws and statutes
`
`asserted herein;
`
`h)
`
`i)
`
`Zoom’s conduct;
`
`Whether Zoom’s conduct caused Zoom to be unjustly enriched;
`
`Whether Greenbaum and the Class members have been injured as a result of
`
`j)
`
`Whether Greenbaum and the members of the Class are entitled to actual,
`
`statutory, and punitive damages; and
`
`k)
`
`Whether Greenbaum and members of the Class are entitled to declaratory
`
`and injunctive relief.
`
`39.
`
`Typicality Under Rule 23(a)(3). Greenbaum’s claims are typical of the Class
`
`members’ claims. Zoom’s course of conduct caused Greenbaum and the Class members the same
`
`harm, damages, and losses as a result of Zoom’s uniformly unlawful conduct. Likewise,
`
`Greenbaum and other Class members must prove the same facts in order to establish the same
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`claims.
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`40.
`
`Adequacy of Representation Under Rule 23(a)(4). Greenbaum is an adequate
`
`representative of the Class because she is a member of the Class and her interests do not conflict
`
`with the interests of the Class. Greenbaum has retained counsel competent and experienced in
`
`complex litigation and consumer protection class action matters such as this action, and
`
`Greenbaum and her counsel intend to vigorously prosecute this action for the Class’s benefit and
`
`have the resources to do so. Greenbaum and her counsel have no interests adverse to those of the
`
`other members of the Class.
`
`41.
`
`Superiority. A class action is superior to all other available methods for the fair and
`
`efficient adjudication of this controversy because individual litigation of each Class member’s
`
`claim is impracticable. The damages, harm, and losses suffered by the individual members of the
`
`Class will likely be small relative to the burden and expense of individual prosecution of the
`
`complex litigation necessitated by Zoom’s wrongful conduct. Even if each Class member could
`
`afford individual litigation, the Court system could not. It would be unduly burdensome if
`
`thousands of individual cases proceeded. Individual litigation also presents the potential for
`
`
`CLASS ACTION COMPLAINT
`
`11
`
` (415) 788-4220
`
`San Francisco, CA 94111
`
`Three Embarcadero Center, Suite 1650
`SCHUBERT JONCKHEER & KOLBE LLP
`
`
`
`Case 5:20-cv-02861-NC Document 1 Filed 04/24/20 Page 13 of 20
`
`
`
`inconsistent or contradictory judgments, the prospect of a race to the courthouse, and the risk of an
`
`inequitable allocation of recovery among those individuals with equally meritorious claims.
`
`Individual litigation would increase the expense and delay to all parties and the Courts because it
`
`requires individual resolution of common legal and factual questions. By contrast, the class action
`
`device presents far fewer management difficulties and provides the benefit of a single adjudication,
`
`economies of scale, and comprehensive supervision by a single court.
`
`42.
`
`
`
`
`As a result of the foregoing, class treatment is appropriate.
`
`FIRST CLAIM FOR RELIEF
`Negligence
`
`43.
`
`Greenbaum, individually and on behalf of the Class, incorporates by reference all
`
`of the allegations contained in the preceding paragraphs of this Class Action Complaint as if fully
`
`set forth herein.
`
`44.
`
`Zoom owed a duty to Greenbaum and the Class members to exercise reasonable
`
`care in (a) handling users’ personal information in compliance with all applicable laws and the
`
`terms of Zoom’s privacy policy; (b) safeguarding users’ personal information in its possession;
`
`and (c) ensuring security in Zoom’s video conferences. Zoom had a special relationship with
`
`Greenbaum and the Class as a result of being entrusted with users’ personal information.
`
`45.
`
`Zoom breached its duties by failing to implement and maintain reasonable or
`
`adequate security protections for users and by disclosing users’ personal information to third
`
`parties, such as Facebook, without user consent.
`
`46.
`
`But for Zoom’s actions and breaches of its duties, Greenbaum’s and the Class
`
`members’ information would be secure.
`
`47.
`
`It was foreseeable that Zoom’s conduct as alleged herein would harm Greenbaum
`
`and the Class. Zoom knew or should have known that its failure to adequately protect user
`
`information would cause harm to Greenbaum and the Class.
`
`48.
`
`49.
`
`Greenbaum and the Class did not contribute to Zoom’s misconduct.
`
`Zoom’s breach as alleged herein directly and proximately resulted in Greenbaum’s
`
`and the Class’s injuries.
`
`
`CLASS ACTION COMPLAINT
`
`12