By Allison Grande, LAW 360
August 11, 2020
Law360 (August 11, 2020, 7:00 PM EDT) -- Advocacy group Consumer Watchdog has hit Zoom Video Communications Inc. with a lawsuit in D.C. Superior Court, claiming the company falsely promised it was using end-to-end encryption to protect its users' communications in an effort to boost its brand amid the COVID-19 pandemic.
The new complaint, filed by the watchdog group late Monday on behalf of members of the public, alleges that Zoom violated the District of Columbia Consumer Protection Procedures Act by falsely and repeatedly advertising end-to-end encryption as part of the security measures it uses. The group asserted that Zoom did this in order to distinguish itself from its competitors and attract new customers as demand for videoconferencing services skyrocketed amid stay-at-home orders issued as a result of the global health crisis.
"As the number of reported data breaches and privacy incidents continues to soar, consumers are making data security a crucial consideration when choosing which companies to do business with and which products to buy," the nonprofit consumer advocacy group said in its complaint. "Unfortunately, Zoom's claims that communications on its platform were end-to-end encrypted were false. Zoom only used the phrase 'end-to-end encryption' as a marketing device to lull consumers and businesses into a false sense of security."
The advocacy group alleged that Zoom's users, including businesses in the health care sector that have chosen the service to enable the exchange of sensitive medical information, relied on the company's assertion that it was using end-to-end encryption, a top industry standard that blocks anyone but the sender and intended recipient from accessing transmitted communications. But despite those promises, Zoom "has always been capable of intercepting and accessing any and all of the data that users transmit on its platform — the very opposite of end-to-end encryption," according to the complaint.
Consumer Watchdog, which is being represented by attorneys from its own litigation team as well as from prominent plaintiffs' firm Edelson PC, is pushing for an order prohibiting Zoom from misrepresenting the level of security it offers to those using its platform. The complaint also seeks statutory damages under the DCCPPA of $1,500 per violation on behalf of of the tens of thousands of Zoom users in Washington, D.C.
In response to the new filing, Zoom said in a statement provided to Law360 on Tuesday that it takes privacy and security "extremely seriously" and is "committed to continuous enhancements, including the timely beta testing and implementation of end-to-end encryption."
Monday's lawsuit marks the latest data privacy and security backlash that Zoom has faced since surging to prominence earlier this year as more users than ever flocked to its service to work remotely and stay in touch with family and friends amid the COVID-19 pandemic.
The company is facing several potential consumer class actions targeting both its alleged unauthorized sharing of personal information with third parties such as Facebook and LinkedIn as well as purported security vulnerabilities that have allowed hackers to "Zoom bomb" virtual meetings with pornography and other inappropriate content.
Investors have also sued Zoom, claiming the company misled them about the degree of its data privacy and security measures and failed to disclose that its service was not end-to-end encrypted.
Zoom's encryption promises have been the topic of much discussion in recent months, with the company facing harsh scrutiny over a plan that it has since backed down from to provide end-to-end encryption only to its paid users.
In the latest complaint filed by Consumer Watchdog, the group claims Zoom falsely touted its enhanced encryption through its website, on the user interface within its app and in published security "white papers," including an April guide promoting the platform as a way for medical professionals to securely transmit sensitive patient personal information.
Those deceptive data security promises not only misled users, but also put its global servers at increased risk of cyberattacks, according to Consumer Watchdog. The group also flagged as "particularly troubling" recent reports that Zoom maintains servers in China — "a country whose government is often accused of trade secret theft" — and that the company "may have disclosed its American users' sensitive personal information to the Chinese government."
"Families around the country are increasingly relying on communication platforms to connect with the world in new ways, whether it's educating our children, working with coleagues or staying in touch with loved ones," Edelson PC partner Ari Scharg said in a statement Tuesday. "It is paramount that companies tell their customers the truth about who can listen to their private communications."
Consumer Watchdog is represented in-house by Harvey Rosenfield, Jerry Flanagan and Benjamin Powell, and Jay Edelson, Ari J. Scharg and Theo J. Benjamin of Edelson PC.
Counsel information for Zoom was not immediately available Tuesday.
The case is Consumer Watchdog v. Zoom Video Communications Inc., case number 2020 CA 003516, in the Superior Court of the District of Columbia.
--Editing by Stephen Berg.