Zoom-er or later, your past catches up with you: Vid chat service hit by sueball over end-to-end encryption claim

US consumer nonprofit alleges it was false advertising


What's that barging into Zoom's socially distanced virtual family reunion? It's a lawsuit from US nonprofit Consumer Watchdog alleging the videoconferencing giant misled the public over its purported use of end-to-end encryption.

The lawsuit [PDF] was filed in the Washington DC Superior Court in a bid to get the wider public to join in on a class action, and alleges that Zoom breached the District of Columbia Consumer Protection Procedures Act (DCCPPA), which prohibits false advertising and certain trade practices.

End-to-end encryption has a very specific meaning, argued Consumer Watchdog (as would any security expert you'd care to speak to), which is that the only parties able to access a communication are the sender and the intended recipient – and not even Zoom itself can listen in. Zoom touted its credentials in this regard, promising secure end-to-end encryption through the platform's interface, as well as in published white papers, it said.

That wasn't the case, Consumer Watchdog alleged in its complaint. Zoom previously used bog-standard non-end-to-end-encrypted Transport Layer Security, aka TLS, rather than true end-to-end encryption that would prevent Zoom from intercepting and "accessing communications, messages, and data transmitted by users," said the filing.

Consumer Watchdog also noted evidence that some calls were routed through servers in China, sparking further privacy concerns.

Zoom has remediated some of these issues raised in the suit by allowing users to select which servers to route their calls through, and by promising to eventually offer true end-to-end encryption – first exclusively to paid users, then to everyone else following a privacy backlash. That feature is lurking in beta status at the moment.

"We take privacy and security extremely seriously and are committed to continuous enhancements, including the timely beta testing and implementation of end-to-end encryption," a spokesperson for Zoom told us.

In its putative class action lawsuit, Consumer Watchdog seeks the statutory damages under the DCCPPA, which amount to $1,500 per violation. This would, in theory, be multiplied by the number of Zoom users in Washington DC. ®


Keep Reading

First Oracle said it powered Zoom. Then AWS claimed it. Now Zoom says it uses co-located kit

Plus a bit of Azure, and it all costs so much it’s selling $1.5bn more shares

Six months after Oracle trumpeted Zoom as a cloud customer, AWS says it is Zoom’s ‘preferred’ cloud

Big Red said it was picked for its 'superior' cloud, but marketing minutiae and conference-eve thunder stealing have intruded

China and Taiwan aren't great friends. Zoom sends chats through China. So Taiwan has banned Zoom

Government and local business told to buy local, but slum it with Google or Microsoft if you must

Remember when Zoom was rumbled for lousy crypto? Six months later it says end-to-end is ready

But it’s a tech preview and requires opt-in for every meeting

Zoom records another bumper quarter as pandemic rumbles on, but Wall Street types quiz execs on how long it can last

Though COVID-19 vaccine coming, video chat is here to stay, claims chief bean counter

India says 'Zoom is a not a safe platform' and bans government users

Holey vid chat service reveals 're-architect' of bug bounty program to 'get overall security house in order'

Oh dear, what a pity! It seems you can't join the directors at the Zoom meeting today

Not great news for students going back to school, however

Zoom strong-armed by US watchdog to beef up security after boasting of end-to-end encryption that didn't exist

Vid-chat giant promises never again to make 'misrepresentations about its privacy and security practices'

Biting the hand that feeds IT © 1998–2021