
Zoom sued for overstating, not disclosing privacy, security flaws - laurex
https://uk.reuters.com/article/us-zoom-video-commn-privacy-lawsuit/zoom-sued-for-overstating-not-disclosing-privacy-security-flaws-idUKKBN21Q10V
======
jy2947
Don't know what is going on at Zoom, but I suspected at least part of it
sneaky. For example, about 3 or 4 weeks ago I heard about this company, and
learned that it has R&D in China per its SEC filing at IPO. However, checked
its website, the career section led me to
[https://jobs.lever.co/zoom](https://jobs.lever.co/zoom), and there was ONLY
one opening at China per the website (I remember it was a position at
marketing department). Then I searched the company in Chinese media, and saw
that they were hiring all types of engineers. That made me feel uncomfortable
in buying its stock. Interestingly, now you look at the same career website,
and China is removed from the list of city dropdown - maybe they are cutting
off or "decoupling" the Chinese R&D?

~~~
yibg
Why is having engineers in China cause for suspicion? Lots of tech companies
have engineers in China. Eg Microsoft.

~~~
TechBro8615
Because the CCP has no qualms about threatening an employee’s family to insert
a backdoor or exfiltrate information, for one.

The decoupling has begun. Sentiment in the US toward China has never been as
negative as it is now, from both sides of the aisle. I wouldn’t be surprised
if we even see sanctions against China after the dust settles on this COVID
fiasco.

~~~
theshadowknows
Let’s get real here. The United States government is most certainly capable of
doing everything we accuse China of doing and worse.

~~~
jjeaff
The US is no white knight. But it is not doing anything close to what the CCP
does on a regular basis. When was the last time a Trump protestor or Obama
protestor disappeared and was never heard from again? Or disappeared and show
up again months later, 30 lbs lighter and apologetic about how wrong they were
about the government?

~~~
grugagag
In this sense yes, absolutely. China is known for doing grotesque humanitarian
violations.

In another sense such as starting a war to deflect from problems at home,
theres one champ and that is our democratic country.

Either one doesn’t mean the other is doing something legitimate and is
waranted shielding from criticism

~~~
garmaine
The US does not start wars to distract from problems at home. That’s
conspiracy horse manure. Whether you want to believe it or not, every
president that has ever started a conflict or US involvement in an existing
conflict has felt the action justified on foreign policy reasons.

Those reasons might be something you object with, or even downright stupid in
hindsight. But only in Hollywood is it ever a smoke screen for domestic
issues.

~~~
HenryBemis
USA, Russia, Turkey, China do exactly that throughout history. It is also an
indicator of a failed/non functioning democracy, this is what surprises me
about the USA (it IS a functioning democracy). I understand Russia and Turkey
(been to both countries) are democracy-challenged and instead of solving their
internal problems they create new external to divert the attention and seek
"greatness" (one of the things that Trump* also proclaims).

Humanity needs to be great together.

Together we stand, divided we fall (said the poet).

*I don't vote in the USA so I don't care who they/you elect. If it would be Clinton or Bush (Sr/Jr) or Obama saying "screw the world we should care only about ourselves" I would be equally judgemental (you should hear me discuss politics with Russians (they can't see why their dictator is bad for them) (and now I will get downvoted by both Americans AND Russians :)

~~~
garmaine
Please point to an example of the USA engaging in a war as a distraction from
domestic issues.

------
crazygringo
I don't think this is likely to succeed -- Zoom can argue that the stock price
has gone down because of "Zoombombing" and security/privacy concerns that have
nothing to do with exact details of what was disclosed in privacy/security
documents, which barely anyone reads anyways.

Also, it's awfully hard to argue losing shareholder value when the stock has
still more than doubled in the end -- Zoom can easily make the plausible-
enough case that it made the right tradeoffs in the end for shareholder value
that allowed it to scale. (I'm not saying that's true, just that it's
plausible.)

Could it be fined by the SEC for misstating key details in their public
filing? Maybe, although these are tiny details. But a class-action suit by
shareholders? This feels like a stunt to me. Also, since a suit by
shareholders could depress the stock price further, this feels like a short-
seller trying to profit, no?

~~~
JumpCrisscross
> _Zoom can argue that the stock price has gone down because..._

Two general steps to a securities suit.

First, show the company defrauded investors. That can be as simple as omitting
or mis-stating material information. (Zoom publicly claimed to use certain
encryption standards that it didn't.) So the battle, here, will be around
materiality. Critically, this step does _not_ typically require proving
damages.

Once materiality is met, the second step is showing damages. At this point,
the change in (and attribution of) stock prices comes into play.

Once fraud is shown, the company is in a bad place. Even if a particular
investor faced no discernible loss, everyone who bought at higher prices will
now sue. It also invites state and federal investigators to start pursuing
management and senior staff.

> _this feels like a short-seller trying to profit, no?_

No. You have to disclose your positions when entering into a shareholder
lawsuit. Shareholder lawsuits are comically common. And there is limited
precedent for short sellers doing this.

 _Disclaimer: I am not a lawyer. This is not legal advice. Don 't buy or sell
securities based on my internet comments._

------
pastullo
Am i the only one struggling to use Zoom properly since they introduced the
latest security changes? The slack integration (write /zoom to start a
meeting) was working ok-ish even though we always had problem with the meeting
not starting unless the host of the meeting was logged in (gosh...why so
complicated?)

Now they added this waiting room, there is no sound notification to let you
know that people are waiting. Doing daily standup become a sufference. It's
crazy how quickly they lost us as users with literally two badly implemented
features.

Happy to hear if any of you also had the same struggle and if there is a good
alternative.

~~~
novok
I would think that meetings being company users only by default could side
step a lot of these clunky security measures. You would only need them for
external meetings. No zoom bombing or war dialing issues with that default
permission set.

~~~
jedberg
The issue is that everyone with a gmail address is in the same "company",
because they use your domain to determine what company you're in.

------
judge2020
Note that the lawsuit is a class action for shareholders of Zoom stock.

Filing:
[https://i.judge.sh/natural/Babs/1-main.pdf](https://i.judge.sh/natural/Babs/1-main.pdf)

~~~
ship_it
Interesting that shareholders are the one to fill a lawsuit.

~~~
elliekelly
In the US lying to users is merely frowned upon while lying to investors is
illegal.

~~~
gpm
False advertising of services (amongst other things) is illegal in the US.

[https://www.law.cornell.edu/uscode/text/15/52#b](https://www.law.cornell.edu/uscode/text/15/52#b)

~~~
elliekelly
Yes, just this week the FTC brought a tech company to justice for false and
misleading promises to users about information security:

> “We allege that Tapplock promised that its Internet-connected locks were
> secure, but in fact the company failed to even test if that claim was true,”
> said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.
> “Tech companies should remember the basics—when you promise security, you
> need to deliver security.”[1]

Armed with clear and indisputable evidence of Tapplock's blatant lies, the
bulldog enforcement lawyers at the FTC took the opportunity to make an example
out of the company. After 18 months of hard-fought negotiations the FTC
announced a settlement agreement[2] whereby the Commission agreed to resolve
the matter in exchange for Tapplock's pinky promise to not get caught doing
that again. Per the arduous terms of the settlement, Tapplock neither admits
nor denies any of the FTC's allegations.

So when a company promises their users security that company better deliver
security. Or else... absolutely fuckall will happen.

[1][https://www.ftc.gov/news-events/press-
releases/2020/04/canad...](https://www.ftc.gov/news-events/press-
releases/2020/04/canadian-maker-smart-locks-settles-ftc-allegations-it-
deceived)

[2][https://www.ftc.gov/system/files/documents/cases/192_3011_ta...](https://www.ftc.gov/system/files/documents/cases/192_3011_tapplock_agreement_containing_consent_order.pdf)

------
A4ET8a8uTh0
Good. There needs to be a serious crackdown on 'puffery' aka lying ( whether
lying about product feature or anything else is irrelevant ). Fingers crossed
and it will go beyond $2 credit on future Zoom services for affected users.

~~~
ballenf
I'm betting the payout will be a custom emoji for affected users. Maybe a
tinfoil hat. And the court will be ok with that so long as the lawyers get
paid in hard currency.

~~~
pirocks
Iirc this is a lawsuit by shareholders so I imagine users will get nothing.

------
tmpynews
Will be interesting if Zoom is compelled to disclose their security
architecture. On the same page can they be forced, in court, to make a
statement on the interference by the Chinese government?

~~~
dontbenebby
Is having keys compelled a surprise?

Chinese servers, operating in China legally, will usually have this issue.

It's serious yes, but I'm confused if it only applied to users in China?

I'm more concerned about the technical issues TBH - I assume most software
sanctioned in China had to turn over keys.

~~~
fnord123
Seeing as encryption is illegal in China, I don't think they will need to give
up any keys.

~~~
gruez
>Seeing as encryption is illegal in China

Source for this? That would make any https site in china illegal.

~~~
kube-system
Not an expert, but I searched and found this link which seems to explain it
well:

[https://www.freshfields.com/en-us/our-
thinking/campaigns/dig...](https://www.freshfields.com/en-us/our-
thinking/campaigns/digital/data/china-rules-on-encryption/)

tl;dr: encryption is not completely illegal, but it sounds like it's pretty
tightly controlled.

~~~
dontbenebby
I didn't think they'd be foolish enough to completely ban it.

They're not comically evil, they just have certain incentives.

Key escrow meets those goals.

------
pjc50
It's a bit odd how everyone's attacking Zoom when none of the other common
solutions have proper e2e encryption either.

~~~
cblades
Do the other common solutions _claim_ to have e2e encryption?

~~~
Wowfunhappy
Yeah. The problem here is that Zoom lied about it.

And, like, _why_? Sure, if no one ever caught them, e2e could be a reason to
choose Zoom—but it's like lying on a resumé. Which, I guess is also a thing
that happens sometimes, but it's generally understood to be a bad idea.

~~~
UncleMeat
Because it was clearly botched marketing material rather than a coordinated
plan. Hypothetical: somebody asked an engineer what kind of encryption Zoom
used, the engineer responded somewhat vaguely and the marketing person heard
"we encrypt between endpoints" as "end to end encryption" and then nobody
noticed when reviewing the text.

~~~
m4r35n357
Yeah right, oops

~~~
UncleMeat
Yes it definitely is an "oops". I'm not excusing it, but offering an
alternative explanation to the "zoom is evil" thinking.

If zoom was truly trying to market themselves as e2e, why is this only buried
in one document rather than shouted from the hills?

~~~
smoothgrammer
They claim HIPAA compliance due to e2e encryption. That is far from an oops.

They updated their documents since, but last week they had documentation up
that said they were HIPAA compliant due to end to end encryption.

~~~
thr0w__4w4y
Ooops. That sounds like it's going to hurt. If not, it sends the message "Hey,
say you're HIPAA compliant, but it doesn't matter if you're not (wink wink)"

I develop electronics and firmware for medical devices, I have (almost)
nothing to do with regulations compliance (except to the extent that I'm
working on something where there is an intersection, like storage of patient
data). But anyway, not a day goes by that I don't hear someone ask, "Is that
HIPAA compliant?"

So yeah. Companies that have used Zoom based on that claim are probably going
to extract some blood out of Zoom.

------
nkohari
This nonsense happens all the time with public companies. All it takes is a
law firm with the gumption to file a suit claiming that the company
misrepresented something material which resulted in a significant change to
share prices.

------
whoisjohnkid
Not surprising. Crazy how zoom in the beginning of the crisis was hailed for
helping folks get together, but now with all the highlighted security concerns
they are receiving a ton backlash. Hopefully they can recover and learn from
this.

~~~
runawaybottle
I’m more shocked that this massive tech industry has like one decent solution
to remote video conferencing. Maybe we really have gone too far down the road
of making bullshit apps, and stopped solving real problems.

Shame on us.

~~~
kevin_thibedeau
Shame on the telcos who prevent residential customers from using the internet
as intended. If everyone was given an IPV6 address block and freedom to accept
outside connections from anywhere, none of this would be an issue.

~~~
meowface
>freedom to accept outside connections from anywhere

Without NAT from home gateways (like consumer routers) preventing inbound
connections from the internet, security would be far more of a nightmare than
it is today. Requiring that people manually forward specific ports is the best
way to handle it. We would be seeing news about Blaster-like worms pretty much
every week of the past 20 years, otherwise.

Also, even if it were a good idea, this still wouldn't solve the problem at
all. The NAT-traversing capability of Zoom and other products is like 0.01% of
the value they provide. You still need good software.

------
sandov
Does it count as lying when it's ridiculously obvious that you're lying?

~~~
smolder
Yes, and it's not so obvious to almost everyone.

------
SubiculumCode
I am beginning to get concerned also. The University of California has
contracts with Zoom, and so many of us have moved over to using Zoom for all
our research lab meetings, especially since the pandemic. We all know that
China has pushed research espionage, with several convictions that I know
about. The possibility of intimate ties with China raises the specter that
Zoom is pushing video, or transcripts of that video through China, and hence
through Chinese spy agencies, which would be really concerning.

Note: I love the Chinese people, and my Chinese colleagues. I do NOT like the
oppressive, and frankly, evil and callous crimes committed by the Chinese
government. Downvotes or upvote the comment as you will, won't change their
crimes or my opinion..

------
apotatopot
And I've heard nothing about TikTok [https://www.vox.com/open-
sourced/2019/12/16/21013048/tiktok-...](https://www.vox.com/open-
sourced/2019/12/16/21013048/tiktok-china-national-security-investigation)

------
philshem
I guess investors who bought the wrong Zoom stock can’t get in on the class
action? ;)

[https://time.com/5792310/zoom-zm-stocks-
coronavirus/](https://time.com/5792310/zoom-zm-stocks-coronavirus/)

------
upofadown
Looking back, there isn't actually any evidence that Zoom is not, as they put
it, "encrypted from end point to end point". But it is clear that Zoom itself
is kind of confused about the whole thing. I don't think that Zoom is all that
good with technical stuff...

To have any assurance that a video conferencing system is actually secure e2e
you would have to have access to the verified source code of the client
programs and verify the identity of each and every participant. That is likely
impractical so I think it is safe to say that you should not use _any_ video
conference system provided by others to discuss secret things. If you
absolutely must do so then you can set up a server under your physical control
and then would not have to bother with e2ee at all.

~~~
stingraycharles
Security audits are done all the time, for which access to the source is
given. In Zoom’s case, going through an audit from a reputable firm, may just
be the answer of getting the public’s confidence back.

And of course it’s fairly extreme to claim you should not use any video
conference system for any sensitive discussions; security is not black and
white, and each situation deserves an appropriate level of security; it needs
to be balanced with convenience. There are a lot of situations where I would
prefer “mostly” secure communication, rather than no communication at all.

~~~
upofadown
>There are a lot of situations where I would prefer “mostly” secure
communication, rather than no communication at all.

We are not talking about "mostly" here for the video conference case. We are
talking about a situation where most providers have access to the data of
their users without very much work. If you are actually willing to confirm the
identity of your correspondent using verified binaries you can get end to end
protected communications ... if someone claims that they have something easier
then they are lying. You can't beat the law of logic. The fact that anyone is
even suggesting that Zoom could of been e2ee in any way that mattered is kind
of depressing. I think we have some education to do.

Security audits are pointless unless you can confirm that the software that
was audited is the software actually running on your device.

------
unlinked_dll
How many of Zoom's recent issues can be explained by just bad engineering?

Because my personal gripes with Zoom are mostly about its quality as a
software product, which I find to be abysmal for my use cases.

~~~
arbitrage
From a purely functional standpoint, that is -- does this software do what I
need it to do?, I have had absolutely no problems with zoom.

What issues have come up for you?

~~~
unlinked_dll
I don't really want to go through the laundry list of issues I have because
none are critical, just the software is very rough around the edges on Linux.
It just feels less than flushed out, and I've had a million little problems
and bugs that I've reported and never heard anything back (as a paying user!).

~~~
jedberg
> on Linux

I think I found your problem. While Linux is big here on HN, all Linux users
probably represent .001% of their paying customers.

In other words, it makes no business sense for them to do anything to retain
you.

------
seeTheAstroturf
Can Apple be sued for the same? I'm reminded of their advertising against
windows for security, but their products have had a myriad of security flaws
over the years.

------
fock
my employer currently signs up for zoom, apparently managed via our SSO-
solution. so far so good.

Right now, I got an email from Zoom, not showing any relation to my employer
or mentioning its name: "congratulations for signup, use your account now".
Ok. Password reset yields an usable basic account. Seems like somehow Zoom
created a personal account for me with my work email. As I didn't get the
activation email I got on my private spam-account, I assume somehow they
got/requested all the employees email-adresses and automatically created
private accounts, not related to the actual business acc..

What the actual f __* is that?!? And yeah, I think conceptually this is the
same behavior as shown by the ad /malware/spam campaigns ca. 2003. I wonder
what had happened if I had just typed a password when signing in with my
account... Maybe they just grab the passwords of the illiterate users and
check them by trying to login with the university website? (that's sooo
userfriendly!)

~~~
jamiequint
I set up Zoom for our company and nothing like this happened. It seems much
more likely (than your wild conspiracy theory) that your company added a
"basic", rather than "licensed" account for you and you got an email as a
result.

~~~
fock
no, don't know what kind of mess they made; the official login is via SSO (and
works with <companyname>.zoom.us). to my understanding the account is
typically created on login there (otherwise we would sync our whole list of
employees with 100s of services...). and even if it was just a random
invitation sent to an email they bought somewhere, it doesn't really explain
how I could reset the password for my email then (without ever activating an
account)?!

It might be a messup from someone but it's definitely strange and I just
didn't sign up there, yet got spam and had a working basic account...

~~~
jamiequint
> otherwise we would sync our whole list of employees with 100s of services

Could also have been created with SCIM and you're in a particular SCIM group
that other folks are not in.

~~~
fock
ok, that's interesting. And this is a really creepy thing from a privacy
standpoint...

~~~
jamiequint
Not really, it's not your privacy if it's your work account/email.

------
encoderer
Blows my mind that a shareholder might have a cause of action for this.

1) Buy volatile stock with recent IPO

2) Sue them for their volatility

3) ?????

~~~
tlbsofware
> Zoom documentation claims that the app uses “AES-256” encryption for
> meetings where possible. However, we find that in each Zoom meeting, a
> single AES-128 key is used in ECB mode by all participants to encrypt and
> decrypt audio and video. The use of ECB mode is not recommended because
> patterns present in the plaintext are preserved during encryption.

[https://citizenlab.ca/2020/04/move-fast-roll-your-own-
crypto...](https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-
quick-look-at-the-confidentiality-of-zoom-meetings/)

~~~
toomuchtodo
You know, I had never considered being a shareholder and using said standing
to sue a company into security best practices when they lie about it,
considering regulation has failed to create the appropriate incentives.

~~~
tlbsofware
Neither have I, but figured I’d link this since it is more than likely why
they are suing

------
cft
This culture of biting the feeding hand has to stop somewhere.

~~~
xenonite
Well no, the shareholder is the feeding hand, giving money.

Actually, Zoom is accused of misbehaving and biting the feeding hand. And yes,
this shouldn't have happened.

