Zoom settles US class action privacy lawsuit for $86m


Video-conferencing firm Zoom has agreed to pay $86m (£61.9m) to settle a class action privacy lawsuit in the US.

The lawsuit alleged that Zoom had invaded the privacy of millions of users by sharing personal data with Facebook, Google and LinkedIn.

It also accused Zoom of misstating that it offers end-to-end encryption and for failing to prevent hackers from “zoombombing” sessions.

The firm denied any wrongdoing, but has agreed to boost its security practices.

The preliminary settlement, which also includes a provision that Zoom will give its staff specialised training in data handling and privacy, is still subject to approval by US District Judge Lucy Koh in San Jose, California.

A Zoom spokesman said: “The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us.

“We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront.”

The class-action lawsuit, filed in March 2020 in the US District Court in the Northern District of California, is just one of several legal complaints facing the US-based video-conferencing platform.

The lawsuit was filed on behalf of Zoom Meetings paid subscribers nationwide, as well as free users.

According to the plaintiff’s lawyers, US Zoom subscribers generated $1.3bn in revenues for the video-conferencing firm.

Should the proposed settlement be approved, subscribers included in the class action would be eligible for 15% refunds on their subscriptions or $25, whichever is larger, while others could receive up to $15.

The plaintiffs’ lawyers also intend to seek $21.3m in legal fees from Zoom.

The video-conferencing firm had asked the court to dismiss the motion in March.

However Judge Koh only granted the dismissal of part of the case pertaining to invasion of privacy and negligence – she allowed the plaintiffs to continue to pursue some claims relating to contracts.

Zoombombing and security concerns

The video-conferencing firm has long been criticised for its approach to its security.

One key issue that has led to some companies choosing to stop using the platform is the phenomena of “Zoombombing” incidents, where uninvited guests crash meetings to cause problems.

According to the New York Times, in April last year a virtual Chipotle event during the coronavirus lockdown was disrupted when a hacker entered and broadcast pornography to hundreds of attendees.

Zoom has also come under fire for security flaws, including a vulnerability that allowed an attacker to remove attendees from meetings, spoof messages from users and hijack shared screens. Another saw Mac users forced into calls without their knowledge.

On top of this, plaintiffs of the lawsuit accused the platform of misrepresenting its encryption protocol – transport encryption – as end-to-end encryption.

This means Zoom can access the video and audio of meetings, rather than the meeting’s participants being the only ones able to decrypt communications.

However, since April 2020, it is understood that Zoom has undertaken a substantial amount of work to address security and privacy concerns through app updates, including the introduction of end-to-end encryption and more than 100 features related to privacy, safety and security.