Following extensive reporting on egregious security failures, video conferencing company Zoom is now being sued by a shareholder over allegations of fraud and overstating the security protocols in place on its service.
In the lawsuit filed Tuesday in the U.S. District Court for the Northern District of California, plaintiff Michael Drieu—on behalf of individuals who purchased Zoom securities after the company went public last year—accuses the company of making “materially false and misleading statements” about its product and failing to disclose key information about the service. Namely, the suit cites Zoom as claiming that its product supported end-to-end encryption, when in fact it supports a different form of encryption called transport encryption—as the Intercept reported last month—that still allows Zoom to access data.
Additionally, the suit alleges that Zoom’s security failures put users “at an increased risk of having their personal information accessed by unauthorized parties, including Facebook,” that these facts would necessarily result in a decline in users, and that the company’s responses to ongoing reporting on myriad problems on the service were “misleading at all relevant times.” The suit states that the fallout from these incidents was exacerbated by the covid-19 crisis, during which time users of the service jumped from just 10 million to 200 million in a matter of months as schools and organizations turned to Zoom amid social distancing measures and shelter-in-place orders.
The suit cites documentation related to Zoom’s IPO as evidence that the company misrepresented the security protocols in place for protecting users. Specifically, the suit states, Zoom said it offered “robust security capabilities, including end-to-end encryption, secure login, administrative controls and role-based access controls,” and—in what was clearly an embarrassing claim by the company—that it strives “to live up to the trust our customers place in us by delivering a communications solution that ‘just works.’”
Zoom did not respond to multiple requests for comment.
The last few weeks have had a devastating impact on Zoom’s public image, as the company various companies and educational institutions have stopped using the service amid reporting on security failures as well as so-called “Zoombombings.” These events—wherein hackers access meetings that include everything from remote grade school classes to addiction support groups in order to post porn and other lewd or disturbing imagery—have prompted a warning from the Federal Bureau of Investigation as well as multiple state investigations into Zoom’s security measures.
Amid ongoing reporting on the company’s overt failures, Zoom CEO Eric Yuan issued a public apology last week addressing the issues.
“We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security,” Yuan said. “However, we recognize that we have fallen short of the community’s—and our own—privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”