Zoom Accused of Misrepresenting Security Measures In New Lawsuit (gizmodo.com) 22
Video conferencing company Zoom is being used by a shareholder over allegations of fraud and overstating the security protocols in place on its service. Gizmodo reports: In the lawsuit filed Tuesday in the U.S. District Court for the Northern District of California, plaintiff Michael Drieu -- on behalf of individuals who purchased Zoom securities after the company went public last year -- accuses the company of making "materially false and misleading statements" about its product and failing to disclose key information about the service. Namely, the suit cites Zoom as claiming that its product supported end-to-end encryption, when in fact it supports a different form of encryption called transport encryption -- as the Intercept reported last month -- that still allows Zoom to access data.
Additionally, the suit alleges that Zoom's security failures put users "eat an increased risk of having their personal information accessed by unauthorized parties, including Facebook," that these facts would necessarily result in a decline in users, and that the company's responses to ongoing reporting on myriad problems on the service were "misleading at all relevant times." The suit states that the fallout from these incidents was exacerbated by the covid-19 crisis, during which time users of the service jumped from just 10 million to 200 million in a matter of months as schools and organizations turned to Zoom amid social distancing measures and shelter-in-place orders. The suit cites documentation related to Zoom's IPO as evidence that the company misrepresented the security protocols in place for protecting users. Specifically, the suit states, Zoom said it offered "robust security capabilities, including end-to-end encryption, secure login, administrative controls and role-based access controls," and -- in what was clearly an embarrassing claim by the company -- that it strives "to live up to the trust our customers place in us by delivering a communications solution that "just works.'"
Additionally, the suit alleges that Zoom's security failures put users "eat an increased risk of having their personal information accessed by unauthorized parties, including Facebook," that these facts would necessarily result in a decline in users, and that the company's responses to ongoing reporting on myriad problems on the service were "misleading at all relevant times." The suit states that the fallout from these incidents was exacerbated by the covid-19 crisis, during which time users of the service jumped from just 10 million to 200 million in a matter of months as schools and organizations turned to Zoom amid social distancing measures and shelter-in-place orders. The suit cites documentation related to Zoom's IPO as evidence that the company misrepresented the security protocols in place for protecting users. Specifically, the suit states, Zoom said it offered "robust security capabilities, including end-to-end encryption, secure login, administrative controls and role-based access controls," and -- in what was clearly an embarrassing claim by the company -- that it strives "to live up to the trust our customers place in us by delivering a communications solution that "just works.'"
What? (Score:3)
Video conferencing company Zoom is being used by a shareholder
Seriously, is it too much to ask that an editor spells four-letter words correctly? What happened? Did you not read the submission and instead relied on little red squiggles to let you know something might be wrong?
Re: (Score:3)
wait until you get to the part where "users eat an increased risk" ...
it must have been very urgent to get this story out, this is surely critical news.
Re: (Score:3)
It has been urgent -- the clicks won't bait themselves, you know.
Re: (Score:2)
Re:Let's all pile on Zoom (Score:5, Insightful)
The point is not that its security is imperfect. The point is that it allegedly told customers and shareholders that its security was far more bulletproof than it is. Specifically, it said it had "end-to-end encryption," when really the best guarantee Zoom can make is that some data will be encrypted while in transit.
Re: (Score:2)
No fucking sympathy for Zoom after they tried to get lobbyists to make the taxpayer protect Zoom insecure software with news laws, what a crock of shite company they are. Now they can pay the price for that cheat by being sued by the people they scammed with false promises about the value of their software in real life and now KABOOM (it is all over), which will win, the civil suit or bankruptcy, it will be close but I'd bet bankruptcy and golden parachutes, long before the civil suit completes.
Lying != Assuming (Score:4, Insightful)
> and don't assume it's got every security feature you could wish for
The company advertised specific security parameters which the product does not have. That's not assuming, that called lying. If company hadn't lied, users could choose the appropriate product for their needs, use it appropriately given its security or lack thereof, and everything would be fine.
I have a $16 "cash box" like you might find at Walmart, a little metal box with a cheap key lock. It's intended to keep people from discreetly slipping a $20 into their pocket.
I also have a UL Class 350 1-hour C-rated fire safe, and a TL-60 rated security safe. The company selling the cash box doesn't advertise it as a fire safe or a TL-60 security safe because it isn't those things. It's a frickin tackle box with a cheap lock. The company would be lying, commiting fraud, if they advertised it as a fire safe and claimed it could withstand 350 degrees for 1-hour while protecting the contents. Those claims mean something. I buy a TL-60 to protect my papers from fire.
If Zoom wants to sell a cash box, fine. Just don't lie and say it's a TL-60 sexy safe, because it isn't.
At work my team uses Microsoft Teams for things Teams is good at, WhatsApp for end-to-end encryption, and Cyberark Vault for making passwords available to other team members. Each product has its place. They just need to be honest about what the product *is* so we can put each to its proper use.
Re:Lying != Assuming (Score:5, Informative)
> WhatsApp for end-to-end encryption,
Did you take into account that although Facebook cannot read your messages due to end-to-end encryption, Google can, if you've enabled cloud backups?
Messages are back-upped at Google in unencrypted format.
Google (and people who say "pretty, pretty please" to Google) can read them.
And I think that's a security issue that's not widely advertised by WhatsApp/Facebook.
Thanks (Score:2)
Thanks for pointing that out.
Re: (Score:1)
Not really related to Zoom and conferencing in general, but:
I also suspect that WhatsApp transmits the end-to-end encryption keys via... wait for it... WhatsApp's network. So yes, messaging is encrypted end-to-end, but WhatsApp may also have those keys and could read your messages anyway.
As for conferencing, are there any products that claim peer-to-peer end-to-end encryption of the audio/video media? I haven't done much research, but it seems tricky unless the endpoints do all the mixing.
It uses public keys, private key not transmitted (Score:2)
WhatsApp uses the Signal protocol. Decryption keys are never sent. Rather, it uses pairwise Diffie-Hellman. (Actually triple DH).
Your client generates two keys - a public key people can use to encrypt messages they want to send you, and a private key that you can use to decrypt those messages. So your decryption key is never sent using any protocol. The key used to encrypt messages sent to you is public; it's not sensitive data.
The whole protocol is more complex than I'll describe here, but it's known and
Re: (Score:2)
Point well made on use cases and full disclosure. A lesser model isn't a bad thing at all so long as it is advertised for what it is. Hopefully the user is smart enough to use the right tool for the right job.
Since it went public stock has doubled (Score:1)
So the plaintiffs are pissed that Zoom stock has doubled since it IPO'd while the S&P is down ~25%.
The USA needs to get to a loser-pays situation with these lawsuits. It's crap that every other week I get a postcard in the mail informing me that I will get $3.52 for being a member in a class action lawsuit whilst the layers walk away with millions. Companies pay because its easier, but its crap.
Re: (Score:1)
It's crap that every other week I get a postcard in the mail informing me that I will get $3.52 for being a member in a class action lawsuit whilst the layers walk away with millions.
That's because lawyers are taking the risk that lawsuit will win or settle. Law firm might have to even get a loan to float the firm until it pays out. It could go out of business if he doesn't pay out. There is nothing stopping anyone harmed to file a lawsuit. If they don't mind spending millions of dollars for a chance at the payday years down the line. In that case lawyers will only be paid for work done.
Curiouser (Score:2)
Re: (Score:2)
Since when did it make sense for a shareholder to sue their own company?
If the shareholder believes that the majority of the population are paying attention to cybersecurity news (they're not), then usage of Zoom is about to trend towards 0. At which point the shares will be worthless. But if they can sue and win money, they may make a profit in what otherwise would be a loss scenario.
Re: (Score:2)