Video-conferencing service Zoom has agreed to pay $85 million to settle a class-action lawsuit accusing the company of wide-ranging security and privacy lapses -- including claims that it violated promises regarding encryption, failed to guard against “zoombombing,” and shared data with Facebook and other outside companies.
The settlement calls for Zoom's paid subscribers to receive up to $25 each, and for users of the free service to receive up to $15 each. The deal also allows the attorneys who brought the case to request up to $21.25 million in fees, and provides that any remaining settlement funds would go to the nonprofits Electronic Frontier Foundation and Electronic Privacy Information Center.
If the deal is approved by by U.S. District Court Judge Lucy Koh in San Jose, California, it would resolve litigation dating to last spring, when Zoom experienced a surge in popularity due to the COVID-19 pandemic.
As usage of the service soared, privacy and security glitches also emerged.
Most famously, trolls began “zoombombing” meetings -- breaking into other people's conferences and bombarding them with porn or offensive speech.
In addition, it came to light in March of 2020 that Zoom's iOS app was sending some data to Facebook. Soon after the issue drew attention, Zoom updated its app to stop the data transfers.
The following month, it was reported that Zoom was using “transport” encryption, and not the “end-to-end” encryption it had promised.
Unlike end-to-end encryption, transport encryption allows Zoom to access audio and video content. That allegation was also a main basis of a recent Federal Trade Commission enforcement action and settlement.
News about the alleged privacy and security glitches sparked numerous lawsuits, which were eventually consolidated into a class-action complaint.
Zoom suffered a partial defeat in that case earlier this year, when Koh rejected the company's request to dismiss the matter.
Instead, she said the users could proceed with some claims, including allegations that Zoom violated its promises to users. She dismissed other claims -- including ones related to invasion of privacy -- but said the users could beef up those allegations and bring them again.
In her ruling, she specifically said Section 230 of the Communications Decency Act protects Zoom from liability for emotional distress caused by “zoombombers” content -- including child pornography. But she said Section 230 doesn't protect Zoom from claims that it violated contractual security obligations by failing to guard against zoombombing.
Zoom previously stated it addressed the issues flagged by the FTC, and has improved its security and privacy.