zoom logo with spy cam

Why you should care about Zoom’s $85m privacy lawsuit

Share this page

Zoom has agreed to pay an $85 million settlement(new window) after falsely claiming calls were protected with end-to-end encryption and for handing over people’s data to Facebook and Google without their consent. This is the latest development in a list of privacy and security issues faced by the video platform that we first wrote about back in March 2020(new window).

Why Zoom has agreed to an $85 million settlement

In March 2020, The Intercept reported(new window) that Zoom had lied about the encryption used for their video calls. In short, the video communication service claimed that it used end-to-end encryption when it did not. Around the same time, Vice reported(new window) that Zoom was also sharing user data with companies, including Facebook and Google, without consent. (Zoom has since fixed(new window) these data-sharing practices.)

Zoom also had some major security issues, including default settings that allowed online trolls to take over public calls in an act known as “Zoombombing”, and vulnerabilities that allowed hackers to access people’s webcams(new window). For more information on Zoom’s privacy and security issues, you can read our full breakdown(new window).

The Federal Trade Commission filed a complaint against Zoom(new window) in November 2020 after The Intercept exposed these holes in Zoom’s service. As a result, Zoom agreed to security improvements and a “prohibition on privacy and security misrepresentations”. Now, on 7 July 2021, Zoom has also agreed to pay an $85 million settlement, including compensation for those who were affected by these security shortcomings. People who are entitled to compensation will receive between just $15 and $25 each if the settlement is approved in court. 

The maximum compensation of $25 doesn’t reflect the extent to which Zoom misled the people who used its services, nor the gravity of the potential consequences of doing so. Is this proposed settlement enough to make tech companies start taking user privacy and security seriously? And what can we do to better protect our data?

Why Zoom’s security measures matter

During the coronavirus pandemic, usage of the video service rocketed, with people increasingly using Zoom for socializing, work, and even healthcare provision.

People who used Zoom believed that no one could access the content of their video conversations except for the people on the call. This isn’t just a breach of users’ trust — in the case of online medical appointments in particular, it may have led practitioners (therapists, for example(new window)) and their patients to believe that their sessions were HIPAA compliant when they weren’t. At the extreme end of the spectrum, law enforcement in surveillance-heavy countries could have coerced Zoom to hand over data about its users (for example, information about political activists or journalists) when those users believed it was impossible for Zoom to do so.

What is end-to-end encryption?

With true end-to-end encryption, no one can access your encrypted data except for you and the intended recipient. This means that your data is protected from being seen by the service provider (Zoom in this instance) or anyone with access to their servers.

Learn more about end-to-end encryption(new window)

What did Zoom tell its users?

Zoom told its users that their video calls were end-to-end encrypted when actually they were protected by TLS encryption. Zoom generated and stored the keys to its users’ encrypted information on its servers rather than on its users’ devices, meaning anyone with access to those servers could monitor the unencrypted video and audio content of Zoom meetings. These servers are located around the world, often in countries where companies can be forced to share user data with law enforcement organizations.

What’s worse is that, according to the most recent lawsuit(new window), Zoom’s response made it clear that it “knew that it did not use the industry-accepted definition of E2E encryption and had made a conscious decision to use the term ‘end-to-end’ anyway”.

Read more about why end-to-end encryption matters.(new window)

What can you do about it?

In this case, there’s not a lot users could have done to better protect their data from easy accessibility, as they were given false information and led to believe their data was end-to-end encrypted. Fortunately, no instances of further data misuse or unauthorized access were reported.

You can request that Zoom delete any and all information they hold on you. Information on your data rights and how to get in contact with Zoom to request they erase your data can be found in their privacy policy(new window). Once you have made the request, follow up to ensure you get confirmation that your data has been removed from their servers.

Another way to protect your data is to never sign in using Facebook. Although it may save you time, it gives Zoom a lot more of your personal data, as well as giving more data to Facebook.

Who can you trust?

The issue is that people were led to believe their data was end-to-end encrypted and weren’t asked for consent before having their data shared with third parties. People who were trying to be careful with their privacy and data could have been misled into sharing more than they would have consented to if they had had all the information.

The Zoom lawsuits have shown that it’s easy for a company to mislead its users about the security precautions they take with their data. The reason privacy-conscious companies, like Proton, are open source and independently audited is so that you do not need to trust us blindly. Anyone can view our code to ensure that it does exactly what we say it does. We also publish the results of our independent audits so you can be sure that our apps have been verified by someone outside of the Proton organization.

Proton Mail is a truly end-to-end encrypted email service. When you send an encrypted email with Proton Mail, no one can see the content of that email except you and your intended recipient. You can sign up for a free email account here(new window).

Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).

Protect your privacy with Proton
Create a free account

Share this page

Lisa Whelan

Lisa is an activist, writer, and internet privacy advocate. A defender of the right to privacy for people everywhere, Lisa joined Proton to spread awareness and further enable freedom online.

Related articles

Last week, the Spanish Presidency of the European Council delayed a vote regarding the Council’s position on the controversial Child Sexual Abuse Regulation (CSAR) due to a lack of consensus over the issue of encryption, among others. This proposed r
At Proton, we’re always working on new and innovative ways to protect the privacy and data of the Proton community. Sometimes that means developing entirely new services, like our Proton Sentinel program, which combines AI and human security analysts
How to unsend an email in Gmail, Outlook, Proton Mail, and Apple Mail
“Undo Send” gives you a chance to stop an erroneous message you’ve just sent. We’ve all done it. You hit Send on an email only to spot you’ve misspelled someone’s name, forgotten an attachment, or accidentally sent a cringing joke to half your conta
Google has already taken privacy washing to the extreme by trying to brand itself as “privacy focused”, even though its business model is based on surveillance.  Lately, the company’s marketing strategy has turned toward outright Orwellian doublespe
Last week, the UK government made a statement in the House of Lords acknowledging that portions of the controversial Online Safety Bill might not even be technically enforceable without breaking end-to-end encryption. This rightly received a lot of a
What is email spoofing?
Email spoofing is a technique attackers use to make a message appear to be from a legitimate sender — a common trick in phishing and spam emails. Learn how spoofing works, how to identify spoofed messages, and how to protect yourself from spoofing a