Zoom logo displayed on a smartphone showing privacy lawsuit on zoombombing

“Zoombombing” Privacy Lawsuit Settlement Puts a $85 Million Price Tag on Zoom’s Security Failures

Zoom Video Communications may be paying a very significant price to settle a 2020 privacy lawsuit that accused the company of wrongful data sharing with third parties such as Facebook, Google and LinkedIn. The lawsuit also addressed the practice of “zoombombing,” the trend of unauthorized parties dropping into conference calls to disrupt them (often with racist abuse and pornography).

With expected 2021 revenues of about $3.7 billion, the preliminary settlement will not likely cause Zoom a tremendous amount of pain if approved but does put a substantial price tag on the company’s failure to keep pace with cybersecurity needs as it experienced rapid growth. Each end user is expected to receive a payment of either $25 or a 15% discount on the cost of their premium subscriptions. The more relevant outcome for most will be that the privacy lawsuit and string of negative press prompted meaningful security changes at Zoom to shore up the product.

Zoombombing, privacy lawsuit prompts numerous security upgrades

“Zoombombing” incidents became such a trend in early 2020 that the FBI issued a public warning about it, asking the public for leads on incidents. Harassment campaigns were often organized in private chats and on message boards, with online trolls disrupting everything from online classes to support groups. Zoombombing was extremely difficult for chat administrators to police as the trolls could quickly change participant accounts to avoid being kicked out. This all came as Zoom was experiencing unprecedented growth thanks to pandemic measures, adding about 70 million new users to its existing six million between February and March and maintaining a clip of adding tens of millions of monthly new users through 2020.

Zoombombing was popular in no small part because Zoom made it relatively easy to do. Outside users only needed a Zoom code to join a conference, and these were often posted in public by organizers. Even after word of zoombombing began to spread, codes were often inadvertently revealed in social media videos or screenshots by less technically savvy participants. Hackers also used a type of “war dialer” to cycle through potential Zoom codes, which consisted of 9 to 11 digits; these defeated Zoom protections against automated scanning by routing traffic through proxy servers in the Tor network.

In response to the string of bad press it was getting about zoombombing and a number of other security failings (such as weaknesses in its encryption and the use of servers located in China), Zoom rolled out a series of security improvements in 2020. It added a default waiting room to allow administrators to screen participants before joining, made changes to the way meeting passcodes were handled, and made encryption available to all users amidst a 90-day blitz of security updates. The settlement indicates that even more security improvements are on the way: in-meeting notifications about which users have access to the personal information of others, warnings when a host or participant activates a third-party app during a meeting, and clearer privacy disclosures among other items.

Zoom privacy lawsuits

The settlement combines 14 separate class action privacy lawsuits that were filed between March and May 2020, with the U.S. District Court for the Northern District of California consolidating them into one case. In addition to the annoyance and harassment of zoombombing, the privacy lawsuits also included complaints about Zoom’s data sharing with partners such as LinkedIn and Facebook. The complaints noted that Zoom shared personal data with these third party services without proper user notification, and also exaggerated its use of end-to-end encryption to protect calls and messages. Zoom has denied any wrongdoing as part of its settlement terms.

One of the privacy lawsuits claimed that Zoom’s iOS app was sending analytics data to Facebook without mentioning that possibility in its privacy policy. The Zoom user did not need to be logged into a Facebook account (or even have one) to have usage data sent to the social media giant. The issue seems to originate with Zoom’s use of a “Login With Facebook” feature, something that plugs the app into Facebook’s massive internet-spanning advertising network even if the Zoom user does not make use of it. A similar issue occurred when users opted to link their Zoom account to a Google Drive account.

The issue with LinkedIn mentioned in the privacy lawsuit was more proactive on Zoom’s part. In April 2020, New York Times reporters discovered that Zoom would surreptitiously run user names and email addresses through a LinkedIn search every time certain users entered a conference. If the user had a LinkedIn profile that matched the search, it would automatically be linked to their Zoom account and information from it would be displayed in conferences. Some Zoom user data was also made available to subscribers to the premium LinkedIn Sales Navigator service. The issue raised by the privacy lawsuit is that Zoom did not notify users it was going to do this, ask permission or provide a way to opt out of the process. These features were shut down in early April after the Times notified Zoom of the report.