The video conferencing platform, Zoom, is facing a hefty fine after telling its users they were utilizing end-to-end (E2E) encryption for their platform’s meetings, when they were not. E2E encryption means the video conference would be encrypted, or inaccessible, unless the user provided an access, or decryption code. Zoom claimed they used E2E encryption, when in reality, they used cryptographic keys on their servers. This means, anyone who had access to the company’s servers would be able to view and listen to the Zoom meetings. This could include employees, third-parties, or even hackers who wormed their way into the company’s servers.
It Gets Worse…
Beyond lying about their security practices, Zoom was also caught selling customer data.
The company was sending user data to Facebook, Google, Bing, Hotjar, and several other platforms without the user’s consent. The data sent to these third-parties was used to create unique user profiles for advertising and behavioral influencing purposes. Zoom reported they have since removed the Facebook and Google software development kits (SDKs), to keep user data secure. They have also claimed to have requested all of the data they shared with these platforms be deleted.
Lastly, the company is holding themselves accountable for the rush of Zoombombings the platform faced over the last twelve months. Initially they were claiming it was the fault of the user, for not utilizing the platform correctly. However, the true cause was the company’s poor security protocols.
In Zoom’s defense, they faced significant growth over the past year, due to the COVID-19 pandemic. With the influx of remote employment and distance learning Zoom quadrupled their usership in a very short amount of time. However, that is merely an excuse. Their inability to scale without security issues should be a concern for many, as well as their poor ethical practices of sharing consumer data without consumer consent.
Zoom Settlement
Anyone who had a Zoom account anytime between March 30, 2016 to June 30, 2021, may be entitled to compensation. For those who had a paid subscription, the entitled amount is to up to, $25. For those who used the free version, it is capped at $15. That seems reasonable, given the company lied about how Zoom meetings were secured and sold customer data without proper consent.
How to Get Paid
The settlement has yet to receive the final stamp of approval, but it is slated to go before the judge on October 21st. Upon approval, Zoom will develop a list of all registrants they believe are entitled to compensation. The company will then reach out via email or USPS with details on how to claim the funds.
This will open the doors to major phishing campaigns. It can be expected, cyber criminals will capitalize on this and begin sending out emails claiming to be Zoom. The phishing emails will likely include malicious links and/or downloads. PC Matic encourages everyone to be very vigilant when it comes to any correspondence from Zoom. Double check the From and Reply To addresses, and never click on a link or download a document unless you are certain it is secure. If you find yourself in question, contact Zoom immediately regarding the legitimacy of the email.