What's that barging into Zoom's socially distanced virtual family reunion? It's a lawsuit from US nonprofit Consumer Watchdog alleging the videoconferencing giant misled the public over its purported use of end-to-end encryption.
The lawsuit [PDF] was filed in the Washington DC Superior Court in a bid to get the wider public to join in on a class action, and alleges that Zoom breached the District of Columbia Consumer Protection Procedures Act (DCCPPA), which prohibits false advertising and certain trade practices.
End-to-end encryption has a very specific meaning, argued Consumer Watchdog (as would any security expert you'd care to speak to), which is that the only parties able to access a communication are the sender and the intended recipient – and not even Zoom itself can listen in. Zoom touted its credentials in this regard, promising secure end-to-end encryption through the platform's interface, as well as in published white papers, it said.
That wasn't the case, Consumer Watchdog alleged in its complaint. Zoom previously used bog-standard non-end-to-end-encrypted Transport Layer Security, aka TLS, rather than true end-to-end encryption that would prevent Zoom from intercepting and "accessing communications, messages, and data transmitted by users," said the filing.
Consumer Watchdog also noted evidence that some calls were routed through servers in China, sparking further privacy concerns.
Zoom has remediated some of these issues raised in the suit by allowing users to select which servers to route their calls through, and by promising to eventually offer true end-to-end encryption – first exclusively to paid users, then to everyone else following a privacy backlash. That feature is lurking in beta status at the moment.
"We take privacy and security extremely seriously and are committed to continuous enhancements, including the timely beta testing and implementation of end-to-end encryption," a spokesperson for Zoom told us.
In its putative class action lawsuit, Consumer Watchdog seeks the statutory damages under the DCCPPA, which amount to $1,500 per violation. This would, in theory, be multiplied by the number of Zoom users in Washington DC. ®