Zoom has agreed to pay an $85 million settlement after falsely claiming calls were protected with end-to-end encryption and for handing over people’s data to Facebook and Google without their consent. This is the latest development in a list of privacy and security issues faced by the video platform that we first wrote about back in March 2020.
Why Zoom has agreed to an $85 million settlement
In March 2020, The Intercept reported that Zoom had lied about the encryption used for their video calls. In short, the video communication service claimed that it used end-to-end encryption when it did not. Around the same time, Vice reported that Zoom was also sharing user data with companies, including Facebook and Google, without consent. (Zoom has since fixed these data-sharing practices.)
Zoom also had some major security issues, including default settings that allowed online trolls to take over public calls in an act known as “Zoombombing”, and vulnerabilities that allowed hackers to access people’s webcams. For more information on Zoom’s privacy and security issues, you can read our full breakdown.
The Federal Trade Commission filed a complaint against Zoom in November 2020 after The Intercept exposed these holes in Zoom’s service. As a result, Zoom agreed to security improvements and a “prohibition on privacy and security misrepresentations”. Now, on 7 July 2021, Zoom has also agreed to pay an $85 million settlement, including compensation for those who were affected by these security shortcomings. People who are entitled to compensation will receive between just $15 and $25 each if the settlement is approved in court.
The maximum compensation of $25 doesn’t reflect the extent to which Zoom misled the people who used its services, nor the gravity of the potential consequences of doing so. Is this proposed settlement enough to make tech companies start taking user privacy and security seriously? And what can we do to better protect our data?
Why Zoom’s security measures matter
During the coronavirus pandemic, usage of the video service rocketed, with people increasingly using Zoom for socializing, work, and even healthcare provision.
People who used Zoom believed that no one could access the content of their video conversations except for the people on the call. This isn’t just a breach of users’ trust — in the case of online medical appointments in particular, it may have led practitioners (therapists, for example) and their patients to believe that their sessions were HIPAA compliant when they weren’t. At the extreme end of the spectrum, law enforcement in surveillance-heavy countries could have coerced Zoom to hand over data about its users (for example, information about political activists or journalists) when those users believed it was impossible for Zoom to do so.
What is end-to-end encryption?
With true end-to-end encryption, no one can access your encrypted data except for you and the intended recipient. This means that your data is protected from being seen by the service provider (Zoom in this instance) or anyone with access to their servers.
What did Zoom tell its users?
Zoom told its users that their video calls were end-to-end encrypted when actually they were protected by TLS encryption. Zoom generated and stored the keys to its users’ encrypted information on its servers rather than on its users’ devices, meaning anyone with access to those servers could monitor the unencrypted video and audio content of Zoom meetings. These servers are located around the world, often in countries where companies can be forced to share user data with law enforcement organizations.
What’s worse is that, according to the most recent lawsuit, Zoom’s response made it clear that it “knew that it did not use the industry-accepted definition of E2E encryption and had made a conscious decision to use the term ‘end-to-end’ anyway”.
What can you do about it?
In this case, there’s not a lot users could have done to better protect their data from easy accessibility, as they were given false information and led to believe their data was end-to-end encrypted. Fortunately, no instances of further data misuse or unauthorized access were reported.
Another way to protect your data is to never sign in using Facebook. Although it may save you time, it gives Zoom a lot more of your personal data, as well as giving more data to Facebook.
Who can you trust?
The issue is that people were led to believe their data was end-to-end encrypted and weren’t asked for consent before having their data shared with third parties. People who were trying to be careful with their privacy and data could have been misled into sharing more than they would have consented to if they had had all the information.
The Zoom lawsuits have shown that it’s easy for a company to mislead its users about the security precautions they take with their data. The reason privacy-conscious companies, like ProtonMail, are open source and independently audited is so that you do not need to trust us blindly. Anyone can view our code to ensure that it does exactly what we say it does. We also publish the results of our independent audits so you can be sure that our apps have been verified by someone outside of the ProtonMail organization.
ProtonMail is a truly end-to-end encrypted email service. When you send an encrypted email with ProtonMail, no one can see the content of that email except you and your intended recipient. You can sign up for a free ProtonMail account here.