What’s that barging into Zoom’s socially distanced virtual family reunion? It’s a lawsuit from US nonprofit Consumer Watchdog alleging the videoconferencing giant misled the public over its purported use of end-to-end encryption.
The lawsuit [PDF] was filed in the DC Superior Court in a bid to get the wider public to join in on a class action, and alleges that Zoom breached the District of Columbia Consumer Protection Procedures Act (DCCPPA), which prohibits false advertising and certain trade practices.
End-to-end encryption has a very specific meaning, argued Consumer Watchdog (as would any security expert you’d care to speak to), which is that the only parties who will be able to access a communication are the sender and the intended recipient. Zoom touted its credentials in this regard, promising secure end-to-end encryption through the platform’s interface, as well as in published white papers, it said.
That wasn’t the case, it alleged in its complaint. Zoom previously used Transport Layer Security (TLS), which didn’t theoretically prevent Zoom from intercepting and “accessing communications, messages, and data transmitted by users,” said the filing.
Consumer Watchdog also noted evidence that some calls were routed through servers in China, sparking further privacy concerns.
Zoom has remediated some of these issues raised in the suit by allowing users to select which servers to route their calls through and offering true end-to-end encryption – first exclusively to paid users, then to everyone else following a privacy backlash.
In its putative class action lawsuit, Consumer Watchdog seeks the statutory damages under the DCCPPA, which amount to $1,500 per violation. This would, in theory, be multiplied by the number of Zoom users in Washington DC.
The Register has asked Zoom to comment. ®