Back in May 2020—after the initial shock of the pandemic had waned—San Francisco’s Saint Paulus Lutheran Church turned to Zoom Communications’ video conferencing technology to connect and create community while sheltering in place.
But in the middle of a May 6 bible study class, a so-called “Zoom bomber” hopped into the call and took control of the platform, subjecting Saint Paulus administrators and a number of senior citizens to repellent pornographic videos, including those showing abuse of infants and children.
Saint Paulus eventually became one of a dozen named plaintiffs in a class-action suit in Northern California District Court challenging San Jose-based Zoom’s data privacy and security policies.
On April 21, Magistrate Judge Laurel Beeler approved a final settlement between the company and the litigants, which included an $85 million payment to Zoom users and a number of required changes to the platform.
These include a ticketing system to track Zoom bombing reports, a clear process for how the company works with law enforcement after an incident, a more thorough disclosure on the company’s privacy statement, and the introduction of protective measures like attendee waiting rooms and a suspended meeting button.
Among the claims made in the lawsuit were that Zoom improperly shared user data through third parties like Facebook, failed in its pledge of end-to-end encryption and failed to prevent Zoom Bombing incidents like those faced by the church.
Of the $85 million settlement, around $21.4 million will go to legal fees and expenses, $5,000 in payments to each plaintiff—including Saint Paulus—and $2.8 million for administration of the settlement.
The remainder will go to roughly 150 million eligible Zoom users. In a March 14 calculation, the settlement administrator says those who submit claims that were paid subscribers are likely to receive the greater of $50 or 30% of their subscription fees. Users who were not paid subscribers were likely to receive $29.
Zoom collected more than $1 billion in subscription fees from the settlement class members.
Mark Molumphy, a partner at Cotchett, Pitre & McCarthy, LLP and co-lead counsel for the plaintiffs, said among the novel issues that were raised in the case was how Section 230 would apply to a platform like Zoom and what security standards a company like Zoom should be responsible for. Section 230 is the portion of the Communications Decency Act that generally legally protects tech platforms from liability for the content posted on their platforms.
In a preliminary judgment prior to the settlement, U.S. District Court Judge Lucy Koh indicated that while Section 230 protects Zoom from being directly responsible for Zoom Bomber activities, contractual claims would be able to move forward “because if someone is using the platform, one of the assumptions is that the communications would be private and secure,” Molumphy said. “Especially if you’re promoting end-to-end encryption,” he added.
As part of the settlement, Zoom denied any wrongdoing in the case.
“The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront,” a Zoom spokesperson said in a statement.
Zoom became a major beneficiary of the pandemic as shelter-in-place orders kicked off a large-scale transition to remote work and turned the relatively obscure service into the byword for hopping on a video call.
In Zoom’s last earnings announcement prior to the pandemic, the company reported around 81,900 customers with more than 10 employees. In their most recent earnings report in February that number had grown more than 500% to 509,800.
“I think to some extent Zoom was a victim of its own creation; it just exploded in the middle of Covid and in many ways it wasn’t ready for the amount of usage of its platform, particularly in its privacy and encryption practices,” Molumphy said.
“I think this case will function as an important reminder for tech companies dealing with private information that they have to expend the time and energy on a technical level on the front end to make sure that communication is secure,” he added.
Kevin Truong can be reached at [email protected]