Why you should care about Zoom’s $85m privacy lawsuit

Share this page

Zoom has agreed to pay an $85 million settlement after falsely claiming calls were protected with end-to-end encryption and for handing over people’s data to Facebook and Google without their consent. This is the latest development in a list of privacy and security issues faced by the video platform that we first wrote about back in March 2020.

Why Zoom has agreed to an $85 million settlement

In March 2020, The Intercept reported that Zoom had lied about the encryption used for their video calls. In short, the video communication service claimed that it used end-to-end encryption when it did not. Around the same time, Vice reported that Zoom was also sharing user data with companies, including Facebook and Google, without consent. (Zoom has since fixed these data-sharing practices.)

Zoom also had some major security issues, including default settings that allowed online trolls to take over public calls in an act known as “Zoombombing”, and vulnerabilities that allowed hackers to access people’s webcams. For more information on Zoom’s privacy and security issues, you can read our full breakdown.

The Federal Trade Commission filed a complaint against Zoom in November 2020 after The Intercept exposed these holes in Zoom’s service. As a result, Zoom agreed to security improvements and a “prohibition on privacy and security misrepresentations”. Now, on 7 July 2021, Zoom has also agreed to pay an $85 million settlement, including compensation for those who were affected by these security shortcomings. People who are entitled to compensation will receive between just $15 and $25 each if the settlement is approved in court. 

The maximum compensation of $25 doesn’t reflect the extent to which Zoom misled the people who used its services, nor the gravity of the potential consequences of doing so. Is this proposed settlement enough to make tech companies start taking user privacy and security seriously? And what can we do to better protect our data?

Why Zoom’s security measures matter

During the coronavirus pandemic, usage of the video service rocketed, with people increasingly using Zoom for socializing, work, and even healthcare provision.

People who used Zoom believed that no one could access the content of their video conversations except for the people on the call. This isn’t just a breach of users’ trust — in the case of online medical appointments in particular, it may have led practitioners (therapists, for example) and their patients to believe that their sessions were HIPAA compliant when they weren’t. At the extreme end of the spectrum, law enforcement in surveillance-heavy countries could have coerced Zoom to hand over data about its users (for example, information about political activists or journalists) when those users believed it was impossible for Zoom to do so.

What is end-to-end encryption?

With true end-to-end encryption, no one can access your encrypted data except for you and the intended recipient. This means that your data is protected from being seen by the service provider (Zoom in this instance) or anyone with access to their servers.

Learn more about end-to-end encryption

What did Zoom tell its users?

Zoom told its users that their video calls were end-to-end encrypted when actually they were protected by TLS encryption. Zoom generated and stored the keys to its users’ encrypted information on its servers rather than on its users’ devices, meaning anyone with access to those servers could monitor the unencrypted video and audio content of Zoom meetings. These servers are located around the world, often in countries where companies can be forced to share user data with law enforcement organizations.

What’s worse is that, according to the most recent lawsuit, Zoom’s response made it clear that it “knew that it did not use the industry-accepted definition of E2E encryption and had made a conscious decision to use the term ‘end-to-end’ anyway”.

Read more about why end-to-end encryption matters.

What can you do about it?

In this case, there’s not a lot users could have done to better protect their data from easy accessibility, as they were given false information and led to believe their data was end-to-end encrypted. Fortunately, no instances of further data misuse or unauthorized access were reported.

You can request that Zoom delete any and all information they hold on you. Information on your data rights and how to get in contact with Zoom to request they erase your data can be found in their privacy policy. Once you have made the request, follow up to ensure you get confirmation that your data has been removed from their servers.

Another way to protect your data is to never sign in using Facebook. Although it may save you time, it gives Zoom a lot more of your personal data, as well as giving more data to Facebook.

Who can you trust?

The issue is that people were led to believe their data was end-to-end encrypted and weren’t asked for consent before having their data shared with third parties. People who were trying to be careful with their privacy and data could have been misled into sharing more than they would have consented to if they had had all the information.

The Zoom lawsuits have shown that it’s easy for a company to mislead its users about the security precautions they take with their data. The reason privacy-conscious companies, like Proton, are open source and independently audited is so that you do not need to trust us blindly. Anyone can view our code to ensure that it does exactly what we say it does. We also publish the results of our independent audits so you can be sure that our apps have been verified by someone outside of the Proton organization.

Proton Mail is a truly end-to-end encrypted email service. When you send an encrypted email with Proton Mail, no one can see the content of that email except you and your intended recipient. You can sign up for a free email account here.

Feel free to share your feedback and questions with us via our official social media channels on Twitter and Reddit.

Join the Proton ecosystem
Create a free account

Share this page

Related articles

Over 300 billion emails are sent and received daily around the world, making it one of the most popular forms of communication. However, most modern email providers, such as Gmail or Outlook, do not adequately protect your emails.  Gmail stopped rea
Your calendar is more than just a planning tool — it’s a record of your life. It lists what you’ve done, where you’ve been, and who you’ve met. This information deserves the same level of protection as your email and files, which is why we created Pr
Everyone has files that need to be encrypted. From intimate personal details to legal and financial documents, your files contain information that should be private and secure. But many internet services we all use every day are not private. Compani
For years, Apple watched Google and Meta make billions by collecting every scrap of people’s data to target them with ads. Now it appears it was just taking notes. Apple’s advertising operation follows the surveillance capitalism model of its rivals
When we launched Proton Drive two months ago, we wanted to create a truly private and secure cloud storage service. An encrypted cloud that allows anyone on the internet to safely store, access, and share their files without worrying about unauthoriz
From our initial crowdfunding campaign to the recent launch of our encrypted cloud storage service Proton Drive, Proton has always been supported by the community. Your feedback tells us what new features to develop and which we should improve.  For