In the lawsuit filed Tuesday in the US District Court for the Northern District of California, plaintiff Michael Drieu -- on behalf of individuals who purchased Zoom securities after the company went public last year -- accuses the company of making “materially false and misleading statements” about its product and failing to disclose key information about the service.
The suit cites Zoom as claiming that its product supported end-to-end encryption, when in fact it supports a different form of encryption called transport encryption that still allows Zoom to access data.
The suit claims that Zoom’s security failures put users “at an increased risk of having their personal information accessed by unauthorised parties, including Facebook”.
These facts would necessarily result in a decline in users, and that the company’s responses to ongoing reporting on myriad problems on the service were “misleading at all relevant times", the suit states.
The fallout from these incidents was exacerbated by the COVID-19 crisis, during which time users of the service jumped from just 10 million to 200 million in a matter of months as schools and organisations turned to Zoom amid social distancing measures and shelter-in-place orders.
The suit cites documentation related to Zoom’s IPO as evidence that the company misrepresented the security protocols in place for protecting users.
Zoom said it offered “robust security capabilities, including end-to-end encryption, secure login, administrative controls and role-based access controls”, and -- in what was an embarrassing claim by the company -- that it strives “to live up to the trust our customers place in us by delivering a communications solution that “just works”. Apparently it didn't.