Zoom was launched in 2013, but has really exploded in popularity as the coronavirus pandemic forces people to remain indoors to minimise viral transmission rates. Both personal and business use of Zoom has mushroomed over the last three months and it is currently the most popular app on both the App Store and Play Store. The parent company’s stock price has also doubled in value, despite the rest of the markets being in freefall.

With Zoom’s rapid ascent has also come greater scrutiny, in particular with regard to its privacy practices and the end-user agreement.

Last week, a Vice report described how the iOS Zoom app was sending some user data to Facebook, even if that Zoom user did not have a Facebook account.

The report concluded that Zoom was relaying information to Facebook via Facebook’s login SDK (which is used by at least half a million apps to allow users to log in with their Facebook account), including data about when users opened the app, as well as information about the user’s device, such as model, time zone, language, network operator and a “unique advertising identifier” to enable ad targeting. The app did not send information about any meetings the user had joined or what was said within them.

The report’s findings were verified by iOS researcher Will Strafach.

Following the publication of the report, Zoom CEO Eric Yuan posted a blog post claiming that the data-sharing practice emerged from Zoom giving iOS users the option to log into the app using their Facebook account. Zoom was unaware of the practice until last week, Yuan said. Last Friday (March 27), Zoom updated the iOS version of the app to remove the SDK, such that users can still log into the app with their Facebook account without compromising their personal data. With this new release, Zoom has said that it “would no longer send information to Facebook”.

Now, a lawsuit has been filed in federal court in California by Zoom user Robert Cullen of Sacramento. It accuses the company of having failed to “properly safeguard the personal information of the increasing millions of users” and disclosing this data to Facebook and other potential third parties without adequate notice or consent. The lawsuit alleges that users would not be willing to use the Zoom app if they were made aware that it permitted third-party tracking.

The proposed class includes “all persons and businesses in the [US]” whose information was collected and disclosed to a third party as the app was installed or opened.

According to the lawsuit, this violates California’s Consumer Privacy Act (which came into force on January 1 2020 and is similar in protections to the EU’s GDPR); the Consumers Legal Remedies Act, and Unfair Competition Law. The plaintiff is seeking injunctive relief and damages.

While Zoom’s share price had been enjoying a stratospheric rise since January, this has now dipped slightly as a result of the accusations that it is failing to protect its users’ privacy.

In addition to the class action lawsuit filed against it, Zoom has received a letter from Letitia James, the New York Attorney General, demanding that it outlines any new security measures it is implementing to address the surge in traffic on its servers. James expressed concern that if Zoom was slow to address security issues, this could “enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.” 

Zoom has also been criticised for a vulnerability which could force Mac users who had installed Zoom to join Zoom meetings with their cameras automatically activated; for inaccurately claiming that its meetings are end-to-end encrypted, and for a security vulnerability which could allow bad actors to generate meeting IDs and enter meetings without password protection.

The FBI has also issued a warning about the growth of ‘Zoombombing’, after reports of meetings being disrupted with pornography, profanities, threats and hate images, including Nazi imagery.

Zoom was launched in 2013, but has really exploded in popularity as the coronavirus pandemic forces people to remain indoors to minimise viral transmission rates. Both personal and business use of Zoom has mushroomed over the last three months and it is currently the most popular app on both the App Store and Play Store. The parent company’s stock price has also doubled in value, despite the rest of the markets being in freefall.

With Zoom’s rapid ascent has also come greater scrutiny, in particular with regard to its privacy practices and the end-user agreement.

Last week, a Vice report described how the iOS Zoom app was sending some user data to Facebook, even if that Zoom user did not have a Facebook account.

The report concluded that Zoom was relaying information to Facebook via Facebook’s login SDK (which is used by at least half a million apps to allow users to log in with their Facebook account), including data about when users opened the app, as well as information about the user’s device, such as model, time zone, language, network operator and a “unique advertising identifier” to enable ad targeting. The app did not send information about any meetings the user had joined or what was said within them.

The report’s findings were verified by iOS researcher Will Strafach.

Following the publication of the report, Zoom CEO Eric Yuan posted a blog post claiming that the data-sharing practice emerged from Zoom giving iOS users the option to log into the app using their Facebook account. Zoom was unaware of the practice until last week, Yuan said. Last Friday (March 27), Zoom updated the iOS version of the app to remove the SDK, such that users can still log into the app with their Facebook account without compromising their personal data. With this new release, Zoom has said that it “would no longer send information to Facebook”.

Now, a lawsuit has been filed in federal court in California by Zoom user Robert Cullen of Sacramento. It accuses the company of having failed to “properly safeguard the personal information of the increasing millions of users” and disclosing this data to Facebook and other potential third parties without adequate notice or consent. The lawsuit alleges that users would not be willing to use the Zoom app if they were made aware that it permitted third-party tracking.

The proposed class includes “all persons and businesses in the [US]” whose information was collected and disclosed to a third party as the app was installed or opened.

According to the lawsuit, this violates California’s Consumer Privacy Act (which came into force on January 1 2020 and is similar in protections to the EU’s GDPR); the Consumers Legal Remedies Act, and Unfair Competition Law. The plaintiff is seeking injunctive relief and damages.

While Zoom’s share price had been enjoying a stratospheric rise since January, this has now dipped slightly as a result of the accusations that it is failing to protect its users’ privacy.

In addition to the class action lawsuit filed against it, Zoom has received a letter from Letitia James, the New York Attorney General, demanding that it outlines any new security measures it is implementing to address the surge in traffic on its servers. James expressed concern that if Zoom was slow to address security issues, this could “enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.” 

Zoom has also been criticised for a vulnerability which could force Mac users who had installed Zoom to join Zoom meetings with their cameras automatically activated; for inaccurately claiming that its meetings are end-to-end encrypted, and for a security vulnerability which could allow bad actors to generate meeting IDs and enter meetings without password protection.

The FBI has also issued a warning about the growth of ‘Zoombombing’, after reports of meetings being disrupted with pornography, profanities, threats and hate images, including Nazi imagery.