Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our California newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (April 29, 2020, 8:21 PM EDT) -- Zoom's purported security flaws have allowed "uninvited men" to crash a Texas dance instructor's virtual burlesque and pole-dancing classes, according to a proposed class action in California federal court, adding to the long list of recent privacy lawsuits aimed at the videoconferencing platform.
Zoom users expect that their conversations will only be heard and seen by those people to whom they are speaking, but the videoconferencing platform is violating California law with its lax security measures that are allowing uninvited guests to gain access to meeting content, according to a complaint filed Monday by dance instructor Stacey Simins.
When the spread of the novel coronavirus closed her studio in Austin, Texas, Simins said she started offering private classes online using a paid Zoom license to connect with her students. When she bought the license, Simins said she noticed the advertised security features included encryption.
But after she started using Zoom, Simins said "uninvited men" joined some of her classes and started intimidating and harassing her clients. More than once, Simins said she was forced to cancel a session as a result of the intrusions.
Now, her business is suffering because some of her clients don't feel comfortable attending the virtual classes, Simins said. Had she known about those security flaws, Simins said she never would have paid for Zoom.
In her suit, which claims violations of California's Unfair Competition Law and Consumers Legal Remedies Act, Simins is seeking to make Zoom provide improved security and privacy, and pay damages and restitution, on behalf of herself and anyone in the U.S. who has used or bought Zoom Meetings plans.
As California-based Zoom has become the de facto platform for digital communication during the COVID-19 pandemic, the surge in traffic has exposed significant weak points in Zoom's system.
Zoom founder and CEO Eric Yuan apologized to customers this month for falling short on privacy and security expectations amid the traffic spike and said that supporting the influx of users amid the pandemic has been a tremendous undertaking. According to Yuan, daily Zoom meeting participants jumped from 10 million in December to 200 million in March.
In his message to users, Yuan outlined a 90-day plan to dedicate resources to identify and fix issues proactively, including shifting Zoom's engineering resources to focus on safety and privacy issues, conducting a review with third-party experts and conducting penetration tests to identify and address issues. In addition, Yuan has been hosting a weekly webinar to provide privacy and security updates for the community.
"Zoom offers a number of built-in protections to help hosts protect their meetings, and we have recently made a series of updates to help hosts more easily access these features and avoid uninvited guests," a Zoom spokesperson told Law360 on Wednesday.
Counsel for Simins did not immediately respond to a request for comment.
On April 8, Sen. Ed Markey, D-Mass., asked the Federal Trade Commission to roll out cybersecurity guidelines and best practices industrywide, saying privacy concerns are important as millions of Americans depend on online conferencing software for communication during the public health crisis.
However, shareholders and consumers have already brought the issue to court.
Shareholders sued Zoom accusing it of misleading them about the degree of its data privacy and security measures and failing to disclose that its service was not end-to-end encrypted. And late last week, a California federal judge combined eight proposed class actions against the video-conferencing giant, alleging it failed to protect users' personal information.
Simins' suit on Monday, which also includes claims of unjust enrichment and fraud, alleges that Zoom broke its promises and misled users about its security and privacy measures.
Despite its representations, Zoom never provided end-to-end encryption for virtual meetings, according to the complaint, but instead offered transport encryption. With end-to-end encryption, only the meeting participants have the keys required to decrypt meeting content, Simins said. With transport encryption, data is encrypted as it travels over the internet with Zoom having access to the encryption keys, according to the complaint.
Another issue with Zoom's flawed security, according to Simins, is the ability for third parties to enable and access the webcam in Zoom meetings on Apple computers.
"An attacker exploiting this vulnerability could use Zoom to access a user's video feed without the user's knowledge," Simins said.
The suit also points out the issue of "Zoombombing," a practice in which attackers join Zoom meetings uninvited and then broadcast hate symbols, indecent content or other shocking images. "Zoombombers" can access meetings through publicly shared links and automated software that attempts possible meetings IDs, according to the suit.
Many companies, including Google, Tesla, SpaceX and New York City public schools, have banned their employees from using Zoom until its security is improved, according to the suit.
Simins is represented by Eric H. Gibbs, Andre Mura, Amanda M. Karl and Jeffrey Kosbie of Gibbs Law Group LLP.
Counsel information for Zoom was not immediately available.
The case is Stacey Simins v. Zoom Video Communications Inc., case number 5:20-cv-02893, in the U.S. District Court for the Northern District of California.
--Additional reporting by Celeste Bott, Anne Cullen, Kelly Zegers and Allison Grande. Editing by Orlando Lorenzo.
For a reprint of this article, please contact reprints@law360.com.
