Zoom agrees to pay subscribers $25 to put its security SNAFUs behind it

US-based Zoom users may have a little cash coming their way after the video meeting outfit lodged a preliminary settlement in a class action related to some of its less-than-brilliant security and data protection practices.

The settlement was filed Saturday in an attempt to end a class action that alleged Zoom indulged in unlawful activities – including misrepresenting its end-to-end encryption capabilities and unauthorized transfer of personal data to third parties like Facebook, Google and LinkedIn – as well as implementing grossly inadequate security and privacy controls.

The latter led to "Zoombombing" – a distinctly 2020 term describing the hijacking of Zoom meetings, typically to display offensive material or otherwise disrupt people going about their business.

According to the court document [PDF], the settlement establishes a non-reversionary cash fund of US$85 million to pay claims and fees. Zoom collected approximately $1.3 billion from US subscribers, and the settlement amount represents around six per cent of the total revenues collected based on allegedly unlawful activities.

That translates to a 15 per cent refund on core subscriptions, or $25 for more expensive subscriptions. Users without subscriptions stand to take home $15. Legal fees are expected to be US$21.25 million.

The deal requires approval from US District Judge Lucy Koh (who incidentally also presided over one of Apple and Samsung's many court battles), before it is finalised. Another hearing is scheduled for October 21, 2021.

• What is your greatest weakness? The definitive list of the many kinds of interviewer you will meet in Hell
• Oracle and AWS trumpeted how their clouds helped Zoom scale. But it turns out Zoom fears its cloud bills and uses co-located kit
• Zoom finally adds end-to-end encryption for all, for free – though there are caveats

In addition coughing up cash, Zoom has promised to improve its security, privacy and data measures. It aims to introduce features like in-meeting notifications on who can see, save and share information, privacy statements that disclose the software's sharing of data with third parties, and keeping records of meeting disruptions that involve illegal content. As a part of the settlement, Facebook has been asked to delete any US user data obtained from Zoom's software development kit.

The San Jose-based communications company denied wrongdoing and, at least when it came to Zoombombing, Judge Koh mostly agreed. Section 230 of the Federal Communications Decency Act provides immunity for web site platforms from third-party content. The court concluded that the "bulk of Plaintiffs' Zoombombing claims lie against the 'Zoombombers' who shared heinous content, not Zoom itself. Zoom merely '‘provid[ed] neutral tools for navigating' its service."

The company released a statement over the weekend, declaring "The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us."

The Register has reached out to Zoom, but at the time of posting had not heard a reply.

If approved, aggrieved users will be able to apply for their $25 at the not-yet functioning settlement web site www.ZoomMeetingsClassAction.com. ®