`
`M. Anderson Berry (SBN 262879)
`Leslie Guillon (SBN 222400)
`CLAYEO C. ARNOLD,
`A PROFESSIONAL LAW CORP.
`865 Howe Avenue
`Sacramento, CA 95825
`Telephone: (916) 777-7777
`Facsimile: (916) 924-1829
`ABerry@Justice4You.com
`LGuillon@Justice4You.com
`
`John A. Yanchunis (Pro Hac Vice Forthcoming)
`Ryan J. McGee (Pro Hac Vice Forthcoming)
`Kenya J. Reddy (Pro Hac Vice Forthcoming)
`MORGAN & MORGAN
`COMPLEX LITIGATION GROUP
`201 N. Franklin St., 7th Floor
`Tampa, FL 33602
`Telephone: (813)
`Facsimile: (813)
`JYanchunis@ForThePeople.com
`RMcGee@ForThePeople.com
`KReddy@ForThePeople.com
`
`Attorneys for Plaintiffs
`
`UNITED STATES DISTRICT COURT
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`SAN JOSE DIVISION
`
`ADAM BUXBAUM and DEBORAH
`BLUM, on behalf of themselves and all
`others similarly situated,
`
`
`
`
`
`
`
`
`Plaintiffs
`
`CASE NO.:
`
`CLASS ACTION
`
`COMPLAINT FOR DAMAGES,
`EQUITABLE, DECLARATORY AND
`INJUNCTIVE RELIEF
`
`DEMAND FOR JURY TRIAL
`
`
`v.
`
`ZOOM VIDEO
`COMMUNICATIONS, INC.,
`
`
`
`
`
`
` Defendant.
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`1
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 2 of 38
`
`
`Plaintiffs Adam Buxbaum and Deborah Blum (“Plaintiffs”), individually, by and through
`
`their undersigned counsel, bring this class action lawsuit against Zoom Video Communications Inc.
`(“Zoom,” or “Defendant”), on behalf of themselves and all others similarly situated, and allege,
`based upon information and belief and the investigation of their counsel as follows:
`INTRODUCTION
`“[W]e recognize that we have fallen short of the community’s – and our own –
`privacy and security expectations. For that, I am deeply sorry.”
`
`Eric S. Yuan, Founder and CEO of Zoom1
`
`Zoom is a cloud-based video communications platform that ostensibly offers
`1.
`individuals, schools, businesses and governments an easy, reliable cloud platform for video and
`audio conferencing across mobile devices, desktops, telephones, and room systems.
`In addition to ease of use and functionality, a cornerstone of Zoom’s offering is its
`2.
`fundamental assurance that its video conferences are private, and the personal information entrusted
`to it by millions of users will be properly maintained. Among the assurances Zoom provides:
`• We do not sell your personal data; 2
`
`• Your meetings are yours. We do not monitor them or even store them after your
`meeting is done;
`
`• Zoom collects only the user data that is required to provide you Zoom services;
`
`• We do not use data we obtain from your use of our services, including your
`meetings, for any advertising.
`
`
`
`
`
`• We take security seriously and we are proud to exceed industry standards when
`it comes to your organizations [sic] communications.3
`
`• Zoom is committed to protecting your privacy.
`
`
`1 Zoom, A message to our users, Zoom Blog (April 1, 2020) available at
`https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/ (last accessed April 28,
`2020).
`2 Zoom, Privacy Policy, available at https://zoom.us/privacy (last accessed April 28, 2020).
`3 Zoom, Security at Zoom, available at https://zoom.us/security (last accessed April 28, 2020).
`
`CLASS ACTION COMPLAINT
`
`2
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 3 of 38
`
`
`
`While video conferencing has enjoyed steady growth over the past several years, in
`3.
`the wake of the COVID-19 pandemic, its popularity has skyrocketed. Among the companies
`offering video conferencing, Zoom has been by far the biggest beneficiary. In December 2019,
`Zoom had approximately 10 million daily users. By March 2020, that number grew to 200 million.
`Zoom’s meteoric rise brought with it significant financial reward for the company,
`4.
`whose revenue for fiscal year ending January 31, 2020 was $622.6 million, more than quadruple its
`revenue a year earlier. It also brought a spotlight which revealed the dark underbelly of a company
`whose platform was riddled with security vulnerabilities, who transmitted user’s personal
`information surreptitiously to third parties without the users’ knowledge and consent, and whose
`public representations about the privacy and security of its video-conferencing platform were false
`and misleading.
`Users, many of whom turned to Zoom to facilitate the most fundamental aspects of
`5.
`their lives in the midst of social distancing and shelter-in-place orders, are now faced with the
`daunting prospect that their private communications were not private at all, but subject to
`unwarranted viewing, intrusion and public exposure.
`Plaintiffs, on behalf of all others similarly situated, allege claims for negligence,
`6.
`invasion of privacy, breach of implied contract, breach of confidence, along with violations of
`California’s Unfair Competition Law, California Consumer Privacy Act, and California’s Consumer
`Legal Remedies Act. By this complaint, Plaintiffs also seek to compel Zoom to adopt appropriate
`cyber security practices in order to ensure that personal information provided to Zoom and made
`through its video conferencing platform remain private and secure.4
`
`
`4 “‘Personal information’ is any information that can be used to identify an individual, and may
`include, but is not limited to, name, email address, postal or other physical address, credit or debit
`card number, title, information generated from use of our Products, and other information required
`to provide a Product, deliver a product, or carry out a transaction you have requested.” Privacy
`Shield, Purpose of Data Collection, available at
`https://www.privacyshield.gov/participant?id=a2zt0000000TNkCAAW&status=Active (last
`accessed April 28, 2020).
`
`CLASS ACTION COMPLAINT
`
`3
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 4 of 38
`
`
`
`PARTIES
`Plaintiff Adam Buxbaum is a resident of California.
`7.
`Plaintiff Buxbaum registered with Zoom for a free account and used Zoom’s services
`8.
`in reliance on Zoom’s promises that, among other things: (a) its videoconferences are secured with
`end-to-end encryption and are protected by security measures to ensure the privacy of user
`communications; (b) it will not sell user data without appropriate disclosure and consent; and (c) it
`will appropriately protect users’ personal information.
`Mr. Buxbaum was unaware that Zoom’s video conferences were not fully private,
`9.
`that it shared user personal information without appropriate consent, and that users’ personal
`information was routinely exposed.
`10. Mr. Buxbaum participated in several Zoom video conferences, at least one of which
`was subject to unwanted intrusion and terminally interrupted.
`Plaintiff Deborah Blum is a California resident.
`11.
`12.
`Plaintiff Blum registered with Zoom for a paid account and used Zoom’s services in
`reliance on Zoom’s promises that, among other things: (a) its videoconferences are secured with
`end-to-end encryption and are protected by security measures to ensure the privacy of user
`communications; (b) it will not sell user data without appropriate disclosure and consent; and (c) it
`will appropriately protect users’ personal information.
`13. Ms. Blum was unaware that Zoom’s video conferences were not fully private, that it
`shared user personal information without appropriate consent, and that user personal information
`was routinely exposed.
`14. Ms. Blum paid Zoom approximately $15 a month so that she could continue
`providing yoga instruction on-line. Ms. Blum’s classes are for her customers only, who also have a
`reasonable expectation that their participation will remain private. Given the recent revelation of
`Zoom’s inadequate cyber security vulnerabilities and inadequate privacy practices, Ms. Blum is
`reasonably concerned about the integrity and inviolability of her conferences.
`
`CLASS ACTION COMPLAINT
`
`4
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 5 of 38
`
`
`
`Defendant Zoom Video Communications, Inc. is a Delaware corporation with its
`15.
`principal place of business in San Jose, California. Zoom was founded in 2011 and became a public
`company in 2019. It currently has over 200 million users.
` JURISDICTION AND VENUE
`
`
`
`16.
`This Court has subject matter jurisdiction over this action under the Class Action
`Fairness Act, 28 U.S.C. § 1332(d)(2). The amount in controversy exceeds $5 million, exclusive of
`interest and costs. While the exact number of class members is currently unknown, upon information
`and belief, Zoom has over 200 million users.
`This Court has jurisdiction over the Defendant which conducts business in this
`17.
`District and has caused harm to Plaintiffs and Class Members residing in this District.
`Venue is proper in this Court pursuant to 28 U.S.C. § 1391(a)(1) because a substantial
`18.
`part of the events and omissions giving rise to this action occurred in this District.
`STATEMENT OF FACTS
`Zoom is a cloud-based video communications platform that offers individuals,
`19.
`businesses and governments “an easy, reliable cloud platform for video and audio conferencing,
`collaboration, chat, and webinars across mobile devices, desktops, telephones, and room systems.”5
`Zoom provides basic meeting services (100 participants up to 40 minutes) for free
`20.
`and a number of paid-for-plans that enable additional participants, unlimited conferencing times,
`and a series of additional amenities and functionalities.6
`Regardless of the plan, all Zoom users are assured the same level of privacy and
`21.
`security of their personal information and communications made through the Zoom platform.
`Next to functionality, privacy is paramount for video-conference users. Not
`22.
`surprisingly therefore, Zoom goes to great lengths to assure users that the platform is secure and
`personal information entrusted to Zoom is and will remain private.
`
`
`5 Zoom, About, available at https://zoom.us/about (last accessed April 28, 2020).
`6 Zoom, Pricing, available at https://zoom.us/pricing (last accessed April 28, 2020).
`
`CLASS ACTION COMPLAINT
`
`5
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 6 of 38
`
`
`
`Zoom maintains a Privacy Policy wherein it reassures users, among other things, that
`23.
`it is “committed to protecting the privacy and security of [] personal data.”7
`• We do not sell your data.8
`
`• We do not sell your personal data.9
`
`• Your meetings are yours. We do not monitor them or even store them after your
`meeting is done unless we are requested to record and store them by the meeting
`host.10
`
`• Zoom collects only the user data that is required to provide you Zoom services.11
`
`• We do not use data we obtain from your use of our services, including your meetings,
`for any advertising.12
`
`• Zoom does not monitor or use customer content for any reason other than as part of
`providing our services.13
`
`• Zoom does not sell customer content to anyone or use it for any advertising
`purposes.14
`
`• Zoom is committed to protecting your privacy and ensuring you have a positive
`experience when using the services we provide.15
`
`• We do not allow marketing companies, advertisers or similar companies to access
`personal data in exchange for payment. We do not allow third parties to use any
`personal data obtained from us for their own purposes, unless you consent.16
`
`• Zoom is committed to protecting your personal data. We use a combination of
`industry-standard security technologies, procedures, and organizational controls and
`measures to protect your data from unauthorized access, use, or disclosure.17
`
`
`
`7 Zoom, Privacy Policy (March 29, 2020), available at https://zoom.us/privacy (last accessed
`April 28, 2020).
`8 Id.
`9 Id.
`10 Id.
`11 Id.
`12 Id.
`13 Id.
`14 Id.
`15 Id.
`16 Id.
`17 Id.
`
`CLASS ACTION COMPLAINT
`
`6
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 7 of 38
`
`
`
`• Zoom keeps privacy and security top of mind for all end users. Find resources and
`features on how Zoom secures your data and protects your privacy.18
`
`• You are entrusting us with your valuable data and information and we take great care
`to ensure your data is secure at all times. 19
`
`• Zoom takes your privacy extremely seriously and only collects the data from
`individuals using the Zoom platform required to provide the service and ensure it is
`delivered effectively. 20
`
`Despite the litany of privacy assurances, the stark truth is that the Zoom platform is
`24.
`riddled with cyber security vulnerabilities that Zoom was negligent in allowing and failing to timely
`address. Its failures are exacerbated by its false and misleading representations about the viability
`of its security measures and its generally poor security hygiene, the combination of which has
`jeopardized the privacy of millions of its users.
`A. Zoom’s Platform is Riddled With Security Vulnerabilities That Zoom failed to Timely
`Identify or Address
`
`Like many on-line businesses, Dropbox saw an opportunity to integrate Zoom’s
`25.
`video conferencing capabilities as a useful feature for its customers.21 Soon after integration,
`however, Dropbox began receiving reports that the Zoom’s platform was riddled with security flaws
`that ranged from those that would enable attackers to “take over users’ actions on the Zoom web
`app,” to those that would enable attackers “to run malicious code on computers using Zoom
`software.” 22
`Independently, a research engineer at Tenable, a security vulnerability assessment
`26.
`company, “uncovered a serious flaw in Zoom that would have allowed an attacker to remotely
`
`
`
`18 Id.
`19 Zoom, Privacy & Security for Zoom Video Communications, available at
`https://zoom.us/docs/en-us/privacy-and-security.html (last accessed April 28, 2020).
`20 Id.
`21 Dropbox, How to Use Zoom with Dropbox, available at https://help.dropbox.com/installs-
`integrations/third-party/zoom (last accessed April 28, 2020).
`22 Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox, New York Times
`(April 20, 2020) available at https://www.nytimes.com/2020/04/20/technology/zoom-security-
`dropbox-hackers.html (last accessed April 28, 2020).
`
`CLASS ACTION COMPLAINT
`
`7
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 8 of 38
`
`
`disrupt a meeting — without even being on the call” and enabling the attacker to take control over
`a Zoom user’s screen and keyboard and/or “covertly install malware on their computer.” Id.
`Concerned that Zoom security vulnerabilities could impact its customers, in 2018,
`27.
`Dropbox “privately offered to pay top hackers it regularly worked with to find problems with
`Zoom’s software. It even had its own security engineers confirm the bugs and look for related
`problems before passing them on to Zoom.” Id.
`In early 2019, Dropbox sponsored HackerOne Singapore, a live hacking competition
`28.
`in which ethical hackers were challenged to find security flaws in a variety of systems. To put
`pressure on Zoom to take security more seriously, Dropbox included Zoom among companies for
`which it offered bug bounties at the event.
`As a result, hackers discovered flaws that would allow attackers to “secretly observe
`29.
`users’ video calls” or use the Zoom system “to gain access to the deepest levels of a user’s
`computer.” Id. Shockingly, Zoom waited more than three months to address the flaw. Id.
`In July 2019, The Electronic Privacy Information Center (“EPIC”) submitted a 22-
`30.
`page complaint to the Federal Trade Commission (“FTC”) warning that Zoom’s business practices
`jeopardize the “privacy and security of the users of its services.” 23 The complaint alleged that
`“Zoom intentionally designed their web conferencing service to bypass browser security settings
`and remotely enable a user’s web camera without the consent of the user. As a result, Zoom exposed
`users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks. When
`informed of the vulnerabilities, Zoom did not act until the risks were made public, several months
`after the matter was brought to the company’s attention.” Id.
`31. Months earlier, in March 2019, a software engineer, Jonathan Leitschuh, discovered a
`significant vulnerability in the Zoom platform affecting Apple Mac users wherein “any website could
`
`
`23 In the Matter of Zoom Video Communications, Inc. available at
`https://epic.org/privacy/zoom/EPIC-FTC-Complaint-In-re-Zoom-7-19.pdf (last accessed April 28,
`2020).
`
`CLASS ACTION COMPLAINT
`
`8
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 9 of 38
`
`
`forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.”24
`“A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without
`your permission. The flaw potentially exposes up to 750,000 companies around the world that use
`Zoom to conduct day-to-day business.”25
`On March 26, 2019, Leitschuh contacted Zoom to inform it of the vulnerability and
`32.
`presented it with a quick fix solution. The engineer also gave Zoom a 90-day disclosure deadline
`before the matter would be made public. Despite having a “quick fix solution” that could have been
`implemented in a matter of days, Zoom waited nearly 3 months before implementing a fix, which
`unfortunately did not resolve the vulnerability.
`The fix proposed by the Zoom team was to digitally ‘sign’ the request made to the
`client. However, this simply means that an attacker would have to have a backend
`server that makes requests to the Zoom site first to gain a valid signature before
`forwarding the signature on to the client. They also proposed locking the signature to
`the IP that made the request. This would mean that as long as the attacker’s server was
`behind the same NAT router as the victim, the attack would still work. I described to
`the Zoom team how both of these solutions were not enough to fully protect their users.
`Unfortunately, this left the Zoom team with only 18 days before public disclosure to
`come up with some better solution. Unfortunately, even after my warning, this was the
`solution they chose to go with.
`
`Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually
`existed and they failed at having a fix to the issue delivered to customers in a timely
`manner. An organization of this profile and with such a large user base should have
`been more proactive in protecting their users from attack. 26
`
`Separately, Leitschuh also found an install vulnerability wherein once Zoom is
`33.
`installed, the web server “continues to run [even] if you uninstall Zoom from your computer.” In
`response to the public disclosure of this vulnerability, Apple immediately released a silent update—
`
`
`24 Apple has pushed a silent Mac update to remove hidden Zoom web server, Tech Crunch (July
`11, 2019) available at https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/ (last
`accessed April 28, 2020).
`25 Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!,
`Medium (July 8, 2019) available at https://medium.com/bugbountywriteup/zoom-zero-day-4-
`million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 (last accessed
`April 28, 2020).
`26 Id.
`
`CLASS ACTION COMPLAINT
`
`9
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 10 of 38
`
`
`one that does not require any user interaction and is deployed automatically—that addressed the
`matter. “Apple often pushes silent signature updates to Macs to thwart known malware …. but it’s
`rare for Apple to take action publicly against a known or popular app. The company said it pushed the
`update to protect users from the risks posed by the exposed web server.” 27
`Unfortunately, Zoom’s poor privacy hygiene and failure to timely address security
`34.
`flaws was endemic to its business culture and a harbinger of worse things to come.
`B. Zoom Failed to Provide Conferencing End-to-End Encryption as Promised, Putting User
`Privacy at Risk
`
`35. With the onset of COVID-19, social distancing and shelter-at-home orders, demand
`for video conferencing skyrocketed. Virtually overnight, Zoom had become one of its biggest
`beneficiaries—its popularity based in large part on its ability to provide an easy to use private
`platform that enabled users (from all segments of society) to engage in their daily functions and
`maintain some semblance of normalcy.
`Zoom’s meteoric rise, however, was not because it was the only video-conferencing
`36.
`platform on the market when the need arose. To the contrary, the landscape for videoconferencing
`is competitive. Platforms compete on ease of use, cost and basic features, the most important of
`which is privacy.
`Among the cornerstones of Zoom’s privacy promises was that its video-conferencing
`37.
`platform was secure – conversations among invited participants would remain between those
`participants. The representation was bolstered by Zoom’s claim that conferencing was subject to
`end-to-end encryption (“E2E”) – commonly understood to be the most private form of internet
`communication, protecting conversations from all outside parties. Indeed, Zoom unequivocally
`promised users that:
`
`• E2E Chat Encryption: Zoom E2E chat encryption allows for a secured communication where
`only the intended recipient can read the secured message. Zoom uses public and private key
`to encrypt the chat session with Advanced Encryption Standard (AES-256). Session keys
`
`27 Apple has pushed a silent Mac update to remove hidden Zoom web server, Tech Crunch (July
`11, 2019) available at https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/ (last
`accessed April 28, 2020).
`
`CLASS ACTION COMPLAINT
`
`10
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 11 of 38
`
`
`
`are generated with a device-unique hardware ID to avoid data being read from other devices.
`This ensures that the session cannot be eavesdropped on or tampered with.
`
`• The following pre-meeting security capabilities are available to the meeting host: Enable an
`end-to-end (E2E) encrypted meeting
`
`• The following in-meeting security capabilities are available to the meeting host: Secure a
`meeting with E2E encryption28
`
`Unfortunately, as unsuspecting users soon discovered, Zoom not only failed to
`38.
`provide end-to-end encryption, but it also lacked the technical capacity to do so.
`On April 3, 2020, The Citizen’s Lab issued a report debunking Zoom’s
`39.
`representations.29 While Zoom documentation, as well as the Zoom app itself, “claims that Zoom
`offers a feature for “end-to-end (E2E) encrypted meetings,” the representation is untrue.30
`
`
`
`
`
`
`
`
`“Typically, the computer security community understands the term ‘end-to-end
`40.
`encrypted’ to mean that only the parties to the communication can access it (and not any middlemen
`
`
`
`
`28 See Zoom Security Guide (ver. June 2019), available at
`https://web.archive.org/web/20200331082306/https://zoom.us/docs/doc/Zoom-Security-White-
`Paper.pdf. (last visited April 28, 2020)
`29 The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs &
`Public Policy, University of Toronto, focusing on research, development, and high-level strategic
`policy and legal engagement at the intersection of information and communication technologies,
`human rights, and global security, available at https://citizenlab.ca/about/ (last accessed April 28,
`2020).
`30 Move Fast and Roll Your Own Crypto A Quick Look at the Confidentiality of Zoom Meetings,
`The Citizens Lab (April 3, 2020) (“CL Report”) available at https://citizenlab.ca/2020/04/move-
`fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/ (last accessed
`April 28, 2020).
`
`CLASS ACTION COMPLAINT
`
`11
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 12 of 38
`
`
`that relay the communication).”31 However, Zoom’s service is not end-to-end encrypted, and as a
`result, the company has access to all encryption keys and to all video and audio content traversing
`its cloud.32
`“[D]espite this misleading marketing, the service actually does not support end-to-
`41.
`end encryption for video and audio content, at least as the term is commonly understood. Instead it
`offers what is usually called transport encryption […] which is different from end-to-end encryption
`because the Zoom service itself can access the unencrypted video and audio content of Zoom
`meetings. So when [a user] has a Zoom meeting, the video and audio content will stay private from
`anyone spying on a [] [user’s] Wi-Fi, but it won’t stay private from the company.”33
`42. While E2E encryption is more difficult and costly to implement, it most certainly can
`be done, and is in fact offered by many of Zoom ‘s competitors such as Apple’s FaceTime and
`Signal.
`43. When confronted with this revelation, a Zoom spokesperson admitted that,
`“[c]urrently, it is not possible to enable E2E encryption for Zoom video meetings.” 34
` “When we use the phrase ‘End to End’ in our other literature, it is in reference to the
`44.
`connection being encrypted from Zoom end point to Zoom end point,” the Zoom spokesperson
`wrote, apparently referring to Zoom servers as “end points” even though they sit between Zoom
`clients. “The content is not decrypted as it transfers across the Zoom cloud” through the networking
`between these machines.35 According to one cryptographer, Professor Matthew D. Green of Johns
`
`
`
`31 Id. (CL Report).
`32 Zoom’s Encryption Is “Not Suited For Secrets” And Has Surprising Links To China,
`Researchers Discover, The Intercept (April 3, 2020) available at
`https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-
`surprising-links-to-china-researchers-discover/ (last accessed April 28, 2020).
`33 Zoom Meetings Aren’t End-To-End Encrypted, Despite Misleading Marketing, The Intercept,
`(March 31, 2020) available at https://theintercept.com/2020/03/31/zoom-meeting-encryption/ (last
`accessed April 28, 2020).
`34 Id.
`35 Id.
`
`CLASS ACTION COMPLAINT
`
`12
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 13 of 38
`
`
`Hopkins University’s Department of Computer Science, Zoom is twisting the common meaning of
`“end-to-end” in a “dishonest way.” 36
`The Citizen’s Lab Report found that Zoom “rolled their own” encryption scheme,
`45.
`which has “significant weaknesses” 37 and ultimately concluded that Zoom’s service is simply “not
`suited for secrets.”38
`In the wake of this monumental transgression, Zoom only apologized for and
`46.
`“confusion” stating that “[w]e recognize that we can do better with our encryption design.”39
`In addition to Zoom’s false and misleading statements about its capacity to provide
`47.
`end-to-end encryption, its platform was also littered with a litany of cyber security vulnerabilities
`that demonstrated its negligent disregard for cyber security hygiene.
`C. Zoom Transmits User Data Surreptitiously to Facebook Without User Knowledge or
`Consent
`
`Zoom provides interested users the ability to log in via Facebook. The feature was
`48.
`enabled through Facebook’s standard software development kit (“SDK”), a bundle of code that
`developers often use to help implement certain features into their own app. Prior to utilizing this
`code, Facebook makes clear that using the SDK will result in the transmission of analytics and other
`user information to Facebook—an action that necessitates sufficient notice to users. “Facebook
`requires developers to be transparent with users about the data their apps send to Facebook.
`Facebook’s terms clearly state that, ‘[i]f you use our pixels or SDKs, you further represent and
`warrant that you have provided robust and sufficiently prominent notice to users regarding the
`Customer Data collection, sharing and usage,’ and specifically for apps, ‘that third parties, including
`
`
`
`36 Id.
`37 CL Report, supra n.31.
`38 Zoom’s Encryption Is “Not Suited For Secrets” And Has Surprising Links To China,
`Researchers Discover, The Intercept (April 3, 2020) available at
`https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-
`surprising-links-to-china-researchers-discover/ (last accessed April 28, 2020).
`39 Zoom security issues: Zoombombings continue, include racist language and child abuse, CNET,
`(April 24, 2020) available at https://www.cnet.com/news/zoom-security-issues-zoombombings-
`continue-include-racist-language-and-child-abuse/ (last accessed April 28, 2020).
`
`CLASS ACTION COMPLAINT
`
`13
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 5:20-cv-02939-SVK Document 1 Filed 04/29/20 Page 14 of 38
`
`
`Facebook, may collect or receive information from your app and other apps and use that information
`to provide measurement services and targeted ads.’”40
`Upon downloading and opening the app, Zoom automatically notifies Facebook and
`49.
`provides it with user details including when a user opened the app, their time zone, city, and
`information about their device including a unique advertiser identifier which can subsequently be
`used to identify user interests and target the user with advertisements.
`Shockingly, Zoom transfers user data regardless of whether the user has a Facebook
`50.
`account, or has integrated their Facebook profile through Zoom.
`Despite Facebook’s admonition to warn consumers about the transmission of their
`51.
`data, and Zoom’s independent legal obligation to do the same, Zoom failed to notify its users, seek
`their consent or provide them with an opportunity to opt out of Zoom’s data-sharing with Facebook.
`52. When confronted with this data leak, Zoom claimed only that it was unaware “the
`Facebook SDK was collecting unnecessary device data,” but will now remove it and reconfigure
`the feature so that users will still be able to login with Facebook via their browser.41
`D. Zoom Surreptitiously Mines User Data and Transmits to LinkedIn
`Zoom’s claim that it was “unaware” of the user data it was transmitting to Facebook
`53.
`is disingenuous in light of the fact that Zoom routinely contracts with third parties to use its platform,
`and in so doing allows them to mine user data.
`According to an analysis conducted by the New York Times, Zoom used data-mining
`54.
`tools to collect users’ personal information without authorization, then used the personal
`information to match the users’ LinkedIn profiles. “For Americans sheltering at home during the
`coronavirus pandemic, the Zoom videoconferencing platform has become a lifeline, enabling
`millions of people to easily keep in touch with family members, friends, students, teachers and work
`
`
`40 Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account, Vice,
`(March 26, 2020) available at https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-
`data-to-facebook-even-if-you-dont-have-a-facebook-account (last accessed April 28, 2020).
`41 Zoom Removes Code That Sends Data to Facebook, Vice (March 28, 2020) available at
`https://www.vice.com/en_us/article/z3b745/zoom-removes-code-that-sends-data-to-facebook (last