Video conferencing platform Zoom was hit with a class-action complaint alleging it wrongly discloses information about users to Facebook and other outside companies.
Zoom's “wholly inadequate program design and security measures have resulted, and will continue to result, in unauthorized disclosure of its users’ personal information to third parties,” California resident Robert Cullen alleges in a class-action complaint filed Monday in U.S. District Court for the Northern District of California.
The complaint comes several days after the publication Motherboard reported that Zoom's iOS app was sending some data to Facebook.
On Friday, Zoom updated its app to stop the data transfers, and said it was taking steps "to ensure this does not happen again.".
The company -- which has recently seen a surge in popularity due to the COVID-19 pandemic -- said in a blog post it had intended to enable users to login with their Facebook accounts, and only recently learned that Facebook was collecting unnecessary information.
"We were made aware on Wednesday, March 25, 2020, that the Facebook SDK was collecting device information unnecessary for us to provide our services," Zoom wrote. "The information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names, notes, etc., but rather included information about devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space."
But Cullen says the update doesn't remedy the alleged privacy violations.
“Assuming this updated version works as described by Zoom, the harm to plaintiff and the class members has been done and continues,” the lawsuit alleges. “Zoom appears to have taken no action to block any of the prior versions of the Zoom App from operating. Thus, unless users affirmatively update their Zoom App, they likely will continue to unknowingly send unauthorized personal information to Facebook, and perhaps other third parties.”
Cullen claims Zoom violated California's consumer protection laws, including the new Consumer Privacy Act. That measure is largely known for privacy provisions that allow consumers to learn what personal information about them is held by businesses, request deletion of that information, and to opt out of its sale.
But the law, which went into effect on January 1, also includes data security provisions, including ones that authorize private lawsuits over data breaches caused by lax security.
The complaint alleges that Zoom failed to use reasonable security to prevent data disclosures. The company “knew or should have known that the Zoom App security practices were inadequate to safeguard the class members’ personal information and that the risk of unauthorized disclosure to at least Facebook was highly likely,” the lawsuit alleges.
Separately from the lawsuit, New York state is also investigating Zooom, according to The New York Times. On Monday, New York’s attorney general sent Zoom a letter asking about security, the Times reports.