Is Zoom Doomed?

Chandler Wright

Associate Editor

Loyola University Chicago School of Law, JD 2022

There is no doubt that working from home has become a new normal for millions of employees worldwide, and for some, this may be the future of their employment. When the workforce made the shift to remote work and online meeting navigation, Zoom Video Communications, Inc. (“Zoom”) quickly became the frontrunning platform. Many companies flocked to Zoom because of its alleged higher levels of security and encryption capabilities. However, a recent lawsuit against Zoom, by nonprofit group Consumer Watchdog, reveals that Zoom may not actually be as safe for users as it once claimed to be. Other lawsuits allege privacy concerns including Zoom sending user data to Facebook. Most recently, the FTC filed a suit against Zoom on November 9th for allegations of unfair, deceptive, or abusive acts or practices (“UDAAP”) related to encryption, cloud storage, third-party safeguards, and failure to disclose information to users. Though various privacy concerns arise, the platform’s popularity continues to increase given its newfound necessity.

Zoom’s laundry list of lawsuits

Zoom’s 2019 annual revenue was $623 million. This year, its revenue already exceeds $664 million. By April 2020, Zoom had 300 million daily meeting participants worldwide. Zoom quickly found out however, that widespread popularity comes with a hefty price — litigation. Lawsuits against Zoom commenced in March of this year, and to-date, there have been over 80 lawsuits filed. A class action suit filed on March 30 alleged that Zoom was sending user data to Facebook. In April, Zoom was sued 17 times, including an SEC class action suit, alleging that Zoom made false and misleading statements that artificially inflated Zoom’s stock prices. Multiple attorneys general, including Connecticut, New York, and Florida have sent letters to Zoom or filed suits regarding “zoom-bombing” incidents. On April 3, 2020 Sherrod Brown, Ohio Senator and ranking member of the Banking, Housing and Urban Affairs Committee, sent a letter to the FTC urging an investigation into Zoom’s troublesome practices.

What are UDAAP and why is regulation important?

Senator Brown’s letter references the FTC’s 1983 Policy Statement which defines the elements of deception. First, there must be a “representation, omission, or practice that is likely to mislead the consumer.” Second, “the act or practice must be considered from the perspective of the reasonable consumer.” Third, “the representation, omission or practice must be material.” The FTC complaint that followed Senator Brown’s letter, alleges multiple violations of Section 5(a) of the FTC Act, because Zoom’s deceptive acts and omissions affect commerce, as defined in Section 4 of the FTC Act. Regulation of UDAAP is important because deceptive practices can cause significant financial injury to consumers, erode consumer confidence, and undermine the financial marketplace as whole. The government thus makes it unlawful for corporations such as Zoom, who offer consumer services, to engage in UDAAP. To assess whether an act or omission is deceptive, the FTC uses the “four Ps” test. The “four Ps” are prominence, presentation, placement, and proximity. This 4-step test asks: (1) Is the statement prominent enough for a consumer to notice? (2) Is the information presented in an understandable way? (3) Is the placement of the information obvious or conspicuous to consumers? and lastly (4) Is the information in close proximity to the claim it qualifies?

In the Matter of Zoom Video Communications, Inc. (filed 11/9/20)

The FTC’s most recent complaint alleges that Zoom made material misrepresentations about their ability to provide a safe and secure video conferencing platform to users. The complaint alleges five violations of the FTC Act. All counts allege that Zoom, through either acts or omission “represented, directly or indirectly, expressly or by implication,” deceptive information. Count I contends deceptive representation regarding “end-to-end encryption.” This count references Zoom’s statement that it employed end-to-end encryption to provide a safer platform when , in fact, it did not employ this method. Count II claims deceptive representation regarding the level of encryption used. This count references  Zoom’s statement that it employed 256-bit encryption when, in fact, it did not employ this level of encryption. Count III alleges deceptive representation regarding secured cloud storage for recorded meetings. This count references Zoom’s statement that recorded meetings were stored in an encrypted format in the cloud when in fact they were not. Count IV is unfair circumvention of third-party privacy and security safeguards, in reference to Zoom’s inability to adequately prevent “zoom bombing.” Lastly, Count V posits deceptive failure to disclose information. This count connects with Zoom’s failure to disclose in a Mac App update that the update would allow web servers to remain on user’s computers even after the Zoom App is uninstalled.

Zoom employees, shareholders, and users worldwide will be anxiously awaiting the ruling in this case. Until then, Zoom users should be mindful of the information shared via the platform and always use precautions when handling confidential information in an online setting.