By Anthony Spadafora, TECH RADAR
August 14, 2020
US advocacy group alleges Zoom's end-to-end encryption claims were false advertising
Earlier this year Zoom found itself in hot water over claims that its video conferencing service uses end-to-end encryption when it instead employs transport encryption instead.
Now, the company is facing a lawsuit from the US nonprofit advocacy group Consumer Watchdog.
The lawsuit, filed in a Washington DC court, alleges the company falsely told users that it offers full encryption which puts it in breach of the District of Colombia Consumer Protection Procedures Act (DCCPPA) that prohibits false advertising.
Back in April, The Intercept released a report which revealed that Zoom uses transport encryption as opposed to end-to-end encryption. Transport encryption is a Transport Layer Security (TLS) protocol which secures the connection between a user and the server they are connected to. However, the main difference between transport encryption and end-to-end encryption is that while others won't be able to access your data, Zoom will still be able to.
In its complaint against the company, Consumer Watchdog alleges that Zoom continued to say that its video conferencing software used end-to-end encryption even though it didn't at the time, saying:
“Zoom repeated its end-to-end encryption claims throughout its website, in white papers—including in its April 2020 HIPAA Compliance Guide—and on the user interface within the app. Through these representations, Zoom established itself as a safe, secure, and reliable video conferencing platform for consumers, and targeted sectors that require highly secure communication systems. Further, there is no question that consumers—and businesses in the healthcare sector—have specifically relied on Zoom’s false end-to-end encryption representations.”
Consumer Watchdog's lawsuit is asking the DC court for an injunction against Zoom in order to prevent the company from misrepresenting its security measures. At the same time, the advocacy group is seeking statutory damages under the DCCPPA which allows for fines of up to $1,500 per violation. This means that that the total possible fine levied against the company could add up very quickly depending on the number of consumers that the court deems were impacted in the DC-area.
In Zoom's defense, the company has been working hard to add end-to-end encryption to its platform and bolster the security of its video conferencing service. For instance, in May it acquired the secure messaging and file-sharing service Keybase to help with these efforts.