• by Wendy Davis  @wendyndavis, March 12, 2021

Zoom users can proceed with a lawsuit stemming from allegations of wide-ranging security lapses, a federal judge ruled late Thursday.

The decision, issued by U.S. District Court Judge Lucy Koh in San Jose, comes in a potential class-action lawsuit that includes claims related to “zoombombing,” encryption practices and data-sharing with Facebook and other outside companies.

The users who sued raised a variety of legal theories -- including that the videoconferencing service allegedly broke its contract with users, invaded users' privacy, violated California consumer protection laws, and acted negligently.

Koh's ruling allows the consumers to proceed with proceed with some of claims, including those related to breach of contract. She dismissed other claims, including ones related to invasion of privacy and negligence, but said the users could beef up those allegations and bring them again.

Last spring, as Zoom usage surged due to the COVID-19 pandemic, privacy and security glitches also emerged. Most famously, trolls began “zoombombing” meetings -- breaking into other people's conferences and bombarding them with porn or offensive speech.

In addition, it emerged in March that Zoom's iOS app was sending some data to Facebook. Soon after the issue came to light, Zoom updated its app to stop the data transfers.

The following month, it was reported that Zoom was using “transport” encryption, and not the “end-to-end” encryption it had promised. That allegation was also a main basis of a recent Federal Trade Commission enforcement action and settlement.

The revelations sparked a host of lawsuits, which were later consolidated into a class-action complaint.

The company argued the case should be dismissed at an early stage for several reasons, including that the complaint didn't spell out how any users had been harmed as a result of the alleged security and privacy glitches.

Zoom specifically said none of the plaintiffs alleged their own information had been provided to outside companies.

Koh agreed with Zoom on that point.

“Plaintiffs fail to allege that Zoom actually shared their personal data with third parties,” she wrote, dismissing the claim related to invasion of privacy.

That dismissal was without prejudice, meaning the plaintiffs can expand on their original allegations and bring the claim again within 30 days.

Zoom also argued that Section 230 of the Communications Decency Act shields it from liability for zoombombing by hackers.

That law says companies that offer interactive services aren't responsible for content posted by outside parties.

Koh said in her ruling that Section 230 immunizes Zoom from liability for emotional distress caused by harmful content posted by “zoombombers” -- including child pornography. But she said Section 230 doesn't protect Zoom from claims that it violated contractual security obligations.

“The bulk of plaintiffs’ Zoombombing claims lie against the 'Zoombombers' who shared heinous content, not Zoom itself,” she wrote.

As with the privacy claims, Zoom said the users could attempt to reformulate their allegations and re-file them by April 10.