Henry v. Zoom Video Communications, Inc

COMPLAINT against Zoom Video Communications, Inc (Filing fee $ 400, receipt number 0971-14387315.). Filed by Lishomwa Henry.

Northern District of California, cand-5:2020-cv-02691

Current View

Full Text

3 1 ROBERT C. SCHUBERT S.B.N. 62684 WILLEM F. JONCKHEER S.B.N. 178748 2 NOAH M. SCHUBERT S.B.N. 278696 KATHRYN Y. MCCAULEY S.B.N. 265803 3 SCHUBERT JONCKHEER & KOLBE LLP 4 Three Embarcadero Center, Suite 1650 San Francisco, California 94111 5 Telephone: (415) 788-4220 Facsimile: (415) 788-0161 6 rschubert@sjk.law 7 wjonckheer@sjk.law nschubert@sjk.law 8 kmccauley@sjk.law 9 CHRISTIAN LEVIS (pro hac vice forthcoming) HENRY KUSJANOVIC (pro hac vice forthcoming) 10 AMANDA FIORILLA (pro hac vice forthcoming) 11 LOWEY DANNENBERG, P.C. 44 South Broadway, Suite 1100 12 White Plains, NY 10601 Telephone: (914) 997-0500 13 Facsimile: (914) 997-0035 clevis@lowey.com 14 hkusjanovic@lowey.com 15 afiorilla@lowey.com 16 Attorneys for Plaintiff 17 UNITED STATES DISTRICT COURT 18 NORTHERN DISTRICT OF CALIFORNIA 19 20 LISHOMWA HENRY, individually and on Case No.: behalf of all others similarly situated, 21 Plaintiff, CLASS ACTION COMPLAINT AND 22 DEMAND FOR JURY TRIAL v. 23 ZOOM VIDEO COMMUNICATIONS, INC., a 24 Delaware corporation, 25 Defendant. 26 27 28 CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL CASE NO. ____________ 3 1 Plaintiff Lishomwa Henry ("Plaintiff") complains upon knowledge as to himself and his own 2 actions and upon information and belief as to all other matters against Defendant Zoom Video 3 Communications, Inc., ("Zoom" or "Defendant") as follows: 4 SUMMARY OF ALLEGATIONS 5 1. This action arises from Defendant's lack of adequate data privacy and security 6 protections and disclosures to its users as part of providing its extremely popular videoconferencing 7 software. Defendant has shared Plaintiff's and Class members' data with the widely popular social 8 network, Facebook, without adequate disclosure, and has failed to protect its users' data from theft 9 by neglecting to adhere to standard data privacy protocols and requirements. 10 2. As a provider of videoconferencing software, Defendant has greatly benefitted from 11 the recent pandemic that has forced many Americans to work from home. Zoom stated that daily 12 meeting participants increased from 10 million to 200 million between December 2019 and March 13 2020.1 14 3. While people utilize Zoom's software on their phones, laptops, or desktop 15 computers, Zoom has been putting the data of millions of people at risk with poor data security 16 protections. 17 4. As Zoom's platform has become more popular, there have been an increasing number 18 of reports that have exposed problems with the platform which permit hackers to access users' web 19 cameras, permit access to users' recorded videoconferences, permit access into live 20 videoconferences, and even give hackers the ability to completely control users' computers or 21 devices. Additionally, Zoom routes many of its conferences through servers located in The People's 22 Republic of China, which subjects them to seizure by the Chinese government. 23 5. Zoom has also published misleading marketing claims and privacy policies while 24 secretly taking advantage of users by sharing their personal data with third parties and putting their 25 information at risk. 26 27 28 1 Eric S. Yuan, A Message to Our Users, https://blog.zoom.us/wordpress/2020/04/01/a-message- to-our-users/ 1 CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL CASE NO. ____________ 3 1 JURISDICTION AND VENUE 2 6. This Court has jurisdiction over the subject matter of this action pursuant to 28 U.S.C 3 §1332(d), because the amount in controversy for the Class exceeds $5,000,000 exclusive of interest 4 and costs, there are more than 100 putative class members defined below and minimal diversity 5 exists because a significant portion of putative class members are citizens of a state different from 6 the citizenship of Defendant. 7 7. This Court has general personal jurisdiction over Defendant because its principal 8 place of business is in San Jose, California. Additionally, Defendant is subject to specific personal 9 jurisdiction in this State because a substantial portion of the events and conduct giving rise to 10 Plaintiff's claims occurred in this State. 11 8. Venue is proper in this District pursuant to 28 U.S.C. §1391(b), (c), and (d) because 12 Defendant transacts business in this District; a substantial portion of the events giving rise to the 13 claims occurred in this District; and because Defendant is headquartered in this District. 14 9. Intra-district Assignment: A substantial part of the events and omissions giving rise 15 to the violations of law alleged herein occurred in the County of Santa Clara, and as such, this action 16 may be properly assigned to the San Jose division of this Court pursuant to Civil Local Rule 3-2(c). 17 PARTIES 18 A. Plaintiff 19 10. Plaintiff Lishomwa Henry ("Plaintiff") is a natural person and citizen of the State of 20 New York and a resident of Queens County. 21 B. Defendant 22 11. Defendant Zoom Video Communications, Inc., is a Delaware corporation with 23 principal executive offices located at 55 Almaden Boulevard, San Jose, California 95113. 24 SUBSTANTIVE ALLEGATIONS 25 12. Zoom has provided its video communication platform for companies and individuals 26 in the United States and many other countries throughout the world. While Zoom may provide 27 software that is very easy to use, the company has been severely irresponsible in maintaining the 28 security of its users' data. 2 CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL CASE NO. ____________ 3 1 13. By clicking "Join," users are trusting that Zoom will provide the necessary security 2 to protect their personal information and the content of their Zoom sessions, however Zoom's rapid 3 rise in popularity has exposed that, despite its dramatic increase in revenue, it has cut corners to an 4 extreme degree in securing its platform. 5 I. Zoom Has Been Sharing iOS User Data With Facebook's Developer Kit 6 14. On March 26, 2020 it was reported by Motherboard that the Zoom app for iOS was 7 sending information about its users to Facebook even if the users did not have a Facebook account. 2 8 15. The report stated that the Zoom app notifies Facebook when the user opens the app 9 and provides details on the user's device such as the model, the time zone and city they are 10 connecting from, which phone carrier they are using, and a unique advertiser ID created by the 11 user's device, which companies can use to target a user with advertisements. 12 16. This sharing of user data with Facebook was not disclosed by Zoom's privacy policy. 13 Zoom claims to protect its users' privacy, stating on its website "you trust us to connect you to the 14 people that matter. We value that trust more than anything else. We want you to know what data we 15 collect and how we use it to provide our service." 3 16 17. Zoom's Privacy Policy purports to identify and disclose to its users all the 17 information Zoom automatically collects from its users when they interact with Zoom products. 18 Zoom's Privacy Policy states that it "utilize[s] a combination of industry-standard security 19 technologies, procedures, and organizational measures to help protect your Personal Data from 20 unauthorized access, use, or disclosure." 21 18. Zoom's failure to provide accurate disclosures to its users about sharing their data 22 and failure to implement adequate security protocols violates its users' privacy and falls well short 23 of Zoom's promises. 24 25 26 2 Joseph Cox, Zoom iOS App Sends Data to Facebook Even if You Don't Have a Facebook 27 Account, https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even- if-you-dont-have-a-facebook-account 28 3 http://zoom.us/privacy-and-legal 3 CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL CASE NO. ____________ 3 1 II. Zoom's Misleading Statements About End-to-End Encryption 2 19. Encryption is the method by which information is converted into secret code that 3 hides the information's content and meaning. This process converts the original representation of 4 the information, known as plaintext, into an alternative form known as ciphertext. Only authorized 5 parties can convert ciphertext back to plaintext and access the original information, generally 6 through the use of a secure passcode. 7 20. End-to-end encryption is intended to prevent data from being accessed by anyone 8 other than by the true sender and recipient. This means that the data is encrypted while being 9 transmitted to the recipient and the platform provider does not have a means to decrypt it. 10 21. Zoom marketed itself as offering end-to-end encryption. But on March 31, 2020, The 11 Intercept reported that Zoom appeared to employ a simpler form of security in which the data is 12 encrypted when it is being accessed from the meeting endpoints, however the data passes through 13 Zoom's central servers where it is decrypted before being re-encrypted and transmitted to the 14 recipient.4 15 22. On April 1, 2020 Zoom published a blog post stating, "we want to start by 16 apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were 17 capable of using end-to-end encryption," explaining that there are instances when Zoom will decrypt 18 the communications of its users in certain circumstances such as when the when their cloud-based 19 recording system is being used. 5 This would permit an attacker to redirect the data stream from a 20 cloud-recording without breaking into the meeting. 21 23. It was also reported by security research organization Citizen Lab that Zoom uses a 22 single shared key, or password, among all meeting participants and that the password is generated 23 24 25 26 4 Micah Lee, Yael Grauer, Zoom Meetings Aren't End-To-End Encrypted, Despite Misleading 27 Marketing, https://theintercept.com/2020/03/31/zoom-meeting-encryption/ 28 5Oded Gal, The Facts Around Zoom and Encryption For Meetings/Webinars, https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/ 4 CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL CASE NO. ____________ 3 1 using a weak algorithm susceptible to cracking, and that the passwords are generated not by 2 endpoints, but by company-run servers.6 3 III. Chinese Involvement 4 24. The Citizen Lab report also stated that they observed the transmission of meetings 5 and encryption keys through servers in China. The Chinese government has the authority to compel 6 companies to provide authorities access to their servers. The Citizen Lab report stated that, "Zoom 7 may be legally obligated to disclose the encryption keys to authorities in China." 7 8 25. Although Zoom is a Silicon Valley-based company, the report noted that Zoom owns 9 three companies in China through which at least 700 employees are paid to develop Zoom's 10 software. 11 26. This issue has been recently addressed by Congress. In November 2019, the United 12 States Senate introduced a bill to curtail the flow of sensitive information about people in the U.S. 13 to China through large tech companies that provide services to Americans. The bill, named The 14 National Security and Personal Data Protection Act, subjects companies with ties to countries of 15 "national security concern," including China, to a privacy regime that prevents the companies from 16 collecting private data on U.S. users beyond what is required to run their services. This concern 17 stems from Chinese laws that require companies to provide their data to Chinese intelligence 18 services.8 19 27. Citizen Lab performed a test of a Zoom meeting with two users, one in the United 20 States and one in Canada. They found that the encryption key was sent to one of the participants 21 from a Zoom server located in Beijing. The report stated that, "[a] company primarily catering to 22 23 Bill Marczak, John Scott-Railton, Move Fast and Roll Your Own Crypto: A Quick Look at the 6 24 Confidentiality of Zoom Meetings, https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a- qu