As the use of Zoom Video Conferencing has skyrocketed since the start of the Coronavirus Pandemic, the company’s security infrastructure and alleged interference in virtual events over the platform have come under fire multiple times since the beginning of global quarantines in March 2020. As millions of Americans are now using Zoom and other videoconferencing tools daily, any data breaches may provide unprecedented access to otherwise confidential conversations between users, including any U.S. government and private sector professionals who utilize the app for their work. Furthermore, censorship of certain virtual gatherings may place dangerously restrictive limits on communication and social organizing as the pandemic demands that most of the population continue to conduct its daily business virtually.
Most recently, the U.S. Department of Justice has charged former China-Based Zoom executive Xinjiang Jin, also known as “Julien Jin,” with conspiracy to commit interstate harassment and unlawful conspiracy to transfer a means of identification after his alleged participation in a scheme to assist the People’s Republic of China in blocking virtual commemorations of the Tiananmen Square massacre in May and June 2020. News of this potential attempt to censor Chinese dissidents should remind users that their choice to route our communications through this (and other) videoconferencing apps has created new, special pandemic-era censorship concerns, Zoom has released a blog post and S.E.C. filing on its website acknowledging the charge and investigation, reaffirming its “support [for] the U.S. Government to protect American interests from foreign influence,” dedication “to the free and open exchange of ideas,” and ongoing, “aggressiv[e]” actions to “anticipate and combat…data security challenges.” Furthermore, the blog post details subpoenas received from the Security and Exchange Commission and the Attorney’s Office for the Northern District of California seeking information about security and privacy matters, as well as employee interaction with representatives of the Chinese government.
This marks only a continuation of Zoom’s legal and privacy issues this past year. In April 2020 alone, Zoom was sued 17 times for privacy related concerns. This includes a shareholder class action suit that was filed in San Francisco Federal court, claiming that Zoom made materially misleading statements around the lack of end-to-end encryption it had, artificially inflating its stock price. Ironically, even the hearings for this case were conducted over Zoom Webinar. An additional 17-count class action lawsuit was filed in April, alleging that Zoom unlawfully permitted Facebook and LinkedIn to eavesdrop on communications between Zoom user’s devices to harvest personal information to increase respective ad revenues. In the same two month span, various additional class actions were filed against Zoom for alleged violations of the California Consumer Privacy Act in its protection against “unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices,” for privacy-related breach of contract, and seemingly-common hacking incidents that have come to be known as ‘Zoombombings.’ Unsurprisingly, as 2020 progressed, Zoom continued to face mounting legal challenges of the sort, even from groups like Consumer Watchdog and the Federal Trade Commission.
In addition to allegations of fraud, securities violations, consumer protection violations, privacy law violations, and breaches of contract, Zoom has been the target of much public scrutiny for its handling of user data internationally. In April 2020, amidst all of the aforementioned lawsuits above, Zoom admitted to ‘mistakenly’ routing call data through Chinese servers for non-China users, including encryption keys that can be utilized to unlock conversations. This evoked massive national security and trade secrets concerns, as most of the nation – including most U.S. government workers and most private-sector executives – have been working from home.
As the U.S. has long resisted enacting federal data privacy legislation that would limit the free-flow of information, instead even legislating to ensure that international data remain accessible to the U.S. government in certain situations, there may be limited legal recourse to protect U.S. trade secrets and abate national security concerns with regards to Zoom and its data-sharing. However, after investigations into incidences such as Russia’s 2016 election interference activities, many view it unreasonable to “expect companies to self-regulate to a sufficient degree that protects Americans from a hostile nation-state intelligence activity.” In addition, as many remain vigilant about the need for federal privacy regulation, various federal privacy frameworks have been proposed and we can expect Congress to continue wrestling with the issue.
Although Zoom announced in October that it would offer end-to-end encryption to all users (although such encryption measures prevent the use of cloud recording and other features), one should continue to be wary of such security issues when using the platform. It appears that these legal issues may not be going away for Zoom in the near future, as the company continues to improve its data security infrastructure, and as the pandemic requires us to conduct our day-to-day business virtually over such videoconferencing platforms.
* Alex Theodosakis is an Associate Editor on the Michigan Technology Law Review.