Zoom — the video conferencing software that many of us have come to begrudgingly rely on in the midst of the coronavirus pandemic — agreed on Saturday to pay $US85 ($115) million to settle a class-action suit brought on by the numerous privacy and security issues the platform refused to patch up. And like many settlements put out by tech companies over the years, it falls shorter than you might hope.
Granted, the settlement still requires approval by the California District Court. But upon approval, subscribers over the past five years would be able to claim a 15% refund on their core subscription — or $US25 ($34), whichever amount is higher. If you used the free version during this time, you’re allowed to make a claim for $US15 ($20). Another hearing in the case is set for late October.
The class action was one of the many suits thrown at the company by investors and irate customers alike over the course of the past year. From March through May of last year, 14 different class actions were filed against the company, which were later consolidated into one giant Zoom suit alleging that the company misled users about its privacy practices.
While most of the claims thrown against the company ended up being tossed out earlier this year by California District Judge Lucy Koh, she let two of the charges stand. First, that the company invaded the privacy of millions of users by sharing personal data with companies like Facebook and Google. And second, that Zoom’s misleading privacy controls resulted in countless meetings and calls being “zoombombed” by pranksters. Previous Gizmodo investigations showed that meetings between U.S. federal agents and alcoholics anonymous groups could easily be intercepted, despite the sometimes hundreds of thousands of dollars these kinds of customers were paying for their Zoom subscriptions annually.
The paltry security measures that the company tacked on after the fact — like requiring passwords for new room entrants or letting customers choose which countries their calls get routed through — didn’t do much to stem the tide of people easily dropping into these calls and… doing whatever they wanted, really.
Reading through the more than one dozen security changes Zoom is promising to make as part of the settlement, it’s unclear how any of them actually help to stop zoombombings from happening. The biggest change that Zoom plans to implement is “[developing] and [maintaining] a documented process for communication with law enforcement about meeting disruptions involving illegal content,” along with a devoted team to oversee this process.
But over the course of various outlets’ repeated reporting on zoombombings, pranks involving illegal content — like child pornography — were in the minority. During Gizmodo’s own investigation of the issue, we found dozens of calls interrupted by videos of beheadings, hardcore porn, and racial slurs. None of those are illegal, per se; just disturbing. That means none of these calls would be flagged by the system Zoom’s proposing in this settlement.
For the most part, the changes seem to apply to the second charge the company was hammered with; sharing data with third parties. For the most part, this data sharing occurs via software development kits, or “SDK’s” — tiny trackers that apps like Zoom use to know who’s using their product, and how often. SDK’s that are owned by Facebook or Google help the company retarget users with ads across Facebook- or Google-owned properties, like Instagram or Youtube. But by loading up their app with that software, Zoom’s sharing some sort of analytics with these two data-hoovering giants each time you hop on a video call.
As part of the settlement, Zoom is agreeing not to integrate Facebook’s SDK into its iOS app for a year. It’s a change that doesn’t really mean much for two reasons; it ignores the fact that many Facebook SDKs are effectively useless in phones equipped with iOS 14’s privacy changes, and it ignores… Android phones. In other words, it’s very likely that the only reason Zoom’s caving on using these particular analytics is because they just don’t work in Apple’s OS anymore; not because they’re an obvious privacy problem. The company hasn’t yet responded to questions about what changes it plans to implement for Android devices.
On top of that, the other changes that Zoom lays out are somewhat useful but put the onus on the end-user, rather than the company itself. These include implementing “in-meeting notifications to make it easier for users to understand who can see, save, and share Zoom users’ information” when someone on the other end uses third-party recording apps and tweaks to the Zoom privacy policy to reflect these changes. But both of these updates are only useful to end-users that are familiar with the convoluted ways these third-party tools work, and if they’re familiar with the convoluted way privacy policies tend to be worded. In other words, these fixes are only going to be useful to a small subset of users in a small subset of cases, if at all.
When asked for comment, a Zoom spokesperson told Gizmodo that “The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront.”
COVID-19 cases are on the rise globally, and many of us are finding ourselves as reliant on video chats now as we were one year ago. If Zoom doesn’t take these changes more seriously than this settlement suggests, then this won’t be the last class action facing the company.