Surely by now, you’ve heard of the video distribution and conferencing platform, Zoom, since COVID-19 has forced the world to go digital. In recent weeks, the platform has certainly experienced a sharp rise in traffic, with the app downloaded more than 50 million times on the Google Play store alone. With a market valuation of close to $42 billion, up from $16 billion in 2019, Zoom is still having to answer for ‘Zoom bombing’ calls.
‘Zoom bombing‘ is a new technique in the wake of COVID-19, where attackers are able to identify, discover, and infiltrate insecure video conferences. In other words, Zoom is not encryption-encryption, like other messaging platforms like Facebook’s WhatsApp, Signal, and Telegram.
In one such incident, highlighted by Techradar, an unknown individual joined an online class taking place over Zoom, shouted profanities and revealed the teacher’s personal address. In another case reported to the FBI, an unidentified conference attendee paraded a set of swastika tattoos.
“The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language,” said a warning published by FBI.
However, despite the platform’s global popularity, Zoom Video Communications Inc., is now sitting in the legal hotseat, as the company was just named in a proposed class-action lawsuit on Tuesday for allegations that it failed to protect users’ personal information.
Robert Cullen of Sacramento sued the company in California federal district court, according to Law360, saying Zoom has violated California’s Unfair Competition Law, Consumers Legal Remedies Act and Consumer Privacy Act by collecting and disclosing personal information to third parties like Facebook “upon installing or upon each opening of the Zoom app,” according to the complaint.
The proposed class includes “all persons and businesses in the United States” whose personal information was collected or disclosed to a third party “upon installation or opening” of the Zoom app, according to the complaint.
In preparing this piece, Grit Daily has obtained and reviewed the complaint.
However, the issue lies within Zoom’s mobile app (“Zoom App”), whereby it included code, “without any adequate disclosure to users” that made undisclosed disclosures of users’ personal information to Facebook and possibly other third parties, according to the Complaint.
Joseph Cox’s March 26 Motherboard Report
On March 26, 2020, Joseph Cox posted a report on Motherboard for the Vice Media Group documenting the behavior of the Zoom App’s unauthorized disclosure of user personal information to Facebook.
The report states “the Zoom app notifies Facebook when the user opens the app, details on the user’s device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements.”
The findings contained in the report were verified by Will Strafach, an iOS researcher and founder of the privacy-focused iOS app Guardian.
The Information (Allegedly) Disclosed
The unauthorized information is sent to Facebook when a user installs, and each time a user opens, the Zoom App. This information includes, but is not limited to, the users’ mobile OS (operating system) type and version, the device time zone, the device model and the device’s unique advertising identifier. The unique advertising identifier allows companies to target the user with advertisements. This information, according to the complaint, is sent to Facebook by Zoom regardless of whether the user has an account with Facebook.
Zoom Confirms the Unauthorized Disclosures
In response to Cox’s report, Zoom released a new version of the app on March 27, according to the complaint, which most of us probably downloaded over the weekend considering most of us were hosting friend chats and “book clubs.” With the release, the company shared that “it would no longer send information to Facebook.”
But, the plaintiffs believe the company failed to block previous versions of the app or assure users that the information already collected had been deleted.
That same day, Zoom publicly admitted in a blog entry on its website that the Zoom App was in fact sending at least the following personal information to Facebook upon installation and each open and close of the Zoom App:
- Application Bundle Identifier
- Application Instance ID
- Application Version
- Device Carrier
- iOS Advertiser ID
- iOS Device CPU Cores
- iOS Device Disk Space Available and iOS Device Disk Space Remaining
- iOS Device Display Dimensions and iOS Device Model
- iOS Language
- iOS Timezone
- iOS Version and
- IP Address
Zoom further admitted that these unauthorized disclosures for which no adequate notice was provided to users began when Zoom implemented a “Login with Facebook” feature using the Facebook’s software development kit (“SDK”) for iOS.
California Consumer Privacy Act
Our focus here is primarily on the allegations of Zoom violating California’s newest privacy law.
In our previous coverage of the California Consumer Privacy Act (CCPA), we believed that in order to get a better understanding of the Act’s implementation, we would need to see “guinea pigs” who unfortunately didn’t take the newly implemented CCPA seriously. And now we get to see it…with Zoom.
In effect as of January 1, 2020, the CCPA was enacted as the first “real” privacy law in the U.S., mirroring the European Union’s GDPR, which protects consumers’ personal information from collection and use by businesses without appropriate notice and consent.
In the Complaint, Cullen argues that Zoom violated the CCPA by failing to provide users with “adequate notice” before collecting and using their personal data, and failing to “implement and maintain reasonable security procedures.”
Grit Daily will be providing updates as the docket is updated.
Oh, and if you’re still using Zoom, to avoid potential incidents of ‘Zoom bombing’, the FBI has advised schools and businesses adhere to the following guidelines:
- Do not make meetings or classrooms public
- Do not share Zoom conference links on public social media
- Manage screen-sharing options
- Ensure users keep their Zoom clients up to date
- Ensure your organisation’s telework policy addresses requirements for physical and information security
For more information on this case;
Case Name: Cullen v. Zoom Video Communications Inc.
Case Number: 5:20-cv-02155
The proposed class is represented by Mark J. Tamblyn and Kenneth A. Wexler of Wexler Wallace LLP and Daniel E. Gustafson, David A. Goodwin and Ling S. Wang of Gustafson Gluek PLLC. Attorney information for Zoom could not immediately be confirmed.
Ironically, Marriott Hotels announced it was victim to another data breach affecting 5.2 million guests, in follow-up to its first breach back in November 2018.