The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Zoom sued by consumer group for misrepresenting its encryption protections

with Tonya Riley

A consumer advocacy group is suing Zoom and seeking millions of dollars in damages, accusing the company of misleading its users about the strength of its encryption protections. 

The nonprofit group Consumer Watchdog is also accusing the videoconferencing company of deceiving users about the extent of its links with China and the fact that some calls between people in North America were routed through servers in China. That raises the danger Beijing could steal or demand access to the contents of those calls, according to a copy of the lawsuit, which was shared exclusively with The Cybersecurity 202. 

Those phony claims “lull[ed] consumers and businesses into a false sense of securityand helped Zoom to soar in popularity during the early months of the pandemic, according the lawsuit, which was filed late yesterday in Washington D.C. Superior Court. 

The consumer group fears that if Zoom isn't punished, other companies will be incentivized to make false claims about their security and privacy protections to attract users and stand out against competitors. 

It’s jaw dropping how blatantly Zoom was claiming something that wasn’t the case,” Jerry Flanagan, Consumer Watchdog's litigation director, told me. “If a giant company like Zoom for years was claiming to have end-to-end encryption in place and they didn’t, one has to be very concerned that other companies are doing the same thing or that they’ll do so in the future if they don’t get called out on it.”

Zoom has previously acknowledged that it used misleading terminology to describe its encryption protections. It also acknowledged mistakenly routing calls through Chinese servers because of a surge of users during the early days of the pandemic.  A Zoom spokesperson said in a statement, “We take privacy and security extremely seriously and are committed to continuous enhancements, including the timely beta testing and implementation of end-to-end encryption.” 

Consumer Watchdog is suing under a D.C. consumer protection law that allows nonprofits to bring lawsuits on behalf of consumers. 

In most states such cases would have to be filed by a state’s attorney general or by a group of consumers in a class action. 

The group is seeking up to $1,500 for every instance in which a D.C. resident used Zoom for non-business purposes. That could be a huge amount given Zoom's recent surge in popularity. 

But it also comes as Zoom's value is soaring. The company's share price has risen to about $250 per share from around $115 before the pandemic. 

The suit would cover instances where people used Zoom for social reasons or possibly for distance learning, said Ari Scharg, an attorney with Edelson PC, which is representing Consumer Watchdog in the case. It would not apply to cases in which people used the service for business reasons. 

The company's misstatements are especially galling during the pandemic, when people are rushing to Zoom and other video tools as a way to keep in touch with friends and family while self-isolating, Scharg said.  

Zoom is such a prevalent company in a lot of households and schools and offices and it’s surprising and frustrating to a lot of users that the company wasn’t truthful with them,” he told me. “Right now, we all need an alternative way of keeping in touch and educating our children and it’s paramount that these online platforms be truthful with customers about how their privacy is being protected and who has access to those communications.”

Zoom claimed for years that it offered the most secure version of encryption, called end-to-end. 

But the company acknowledged during a crush of security scandals during the early weeks of the pandemic that its teleconferences were actually protected with a less rigorous form of encryption called transport layer security or TLS.

The major difference: End-to-end encryption scrambles the contents of communication during a message or conversation’s full journey between the sender and the recipient, meaning it's so strong the company itself can't access them. TLS allows the company that’s hosting the communication to decrypt it in the middle. That raises the chances that hackers could spy on those communications, cybersecurity experts say. 

End-to-end encryption has also sparked a high stakes battle between tech companies and the Justice Department because companies cannot turn over decrypted versions of customer messages in response to law enforcement warrants. Cybersecurity experts say that's a necessary price to ensure the cybersecurity of lawful communications. 

Zoom’s chief product officer Oded Gal said in an April 1 blog post the company “has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption.” He acknowledged, however, that “while we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”

The company later released plans to use true end-to-end encryption — first just for paid users then, when that plan proved unpopular, for users of both the paid and free service.  

The company has also pledged to limit its ties to China, which have come under intense scrutiny amid widespread concern about the threat of digital spying by the Chinese government. A report by Citizen Lab, a University of Toronto research group, found that despite being based in California Zoom owns three companies in China with about 700 employees that assist with its research and development. 

Zoom's moves didn't quell anger from lawmakers and consumers who say it played fast and loose with security. 

Sens. Richard Blumenthal (D-Conn.) and Josh Hawley (R-Mo.) last month demanded a Justice Department investigation into Zoom’s Chinese government ties as well as those of the Chinese app TikTok. 

In an email response to the lawsuit, Blumenthal told me “Zoom blatantly misled millions of consumers on the privacy and security of its app, claiming to offer end-to-end encryption when it did not” and that the company “still bears an unmet obligation to protect consumers and should be held accountable for its clear past violations of law and public trust.”

This story has been updated to add comment from Zoom. 

The keys

President Trump downplayed Russian election threats and accused Democrats of undermining the election. 

When asked about the threat from Russia during a news conference, the president chastised reporters for not also asking about China and Iran. “The other day they said the three countries; they said China and Russia and Iran and some reporter got up and said, Russia is meddling. I said, well, didn't it mention China and Iran? Why didn't you mention them, too?" the president said. 

The comments come after a Friday statement in which William Evanina, director of the National Counterintelligence and Security Center, described Russia as actively engaged in efforts reminiscent of its attempts to undermine the 2016 election. He described China’s election efforts as “largely rhetorical and aimed at shaping policy and criticizing the Trump administration for actions Beijing sees as harmful to its long-term strategic interests,” Shane Harris reports

Trump accused Democrats of undermining the election by promoting voting by mail — a practice the president has long criticized but also promoted in select states. “I'll tell you who's meddling in our elections,” he said. “The Democrats are meddling. By wanting and insisting on sending mail-in ballots, where there's corruption all over the place.”

Belarus is blacking out the Internet after election protests.

The country appears to be blocking Twitter and other social media sites after the results of the recent presidential election sparked public protest, Jeff Stone at CyberScoop reports.  

The protests were spark after Alexander Lukashenko, who has been president of the country for 26 years, claimed to win 80 percent of the vote. Opposition leaders claim those results aren’t trustworthy. 

Twitter confirmed it was being throttled in the country.

Access Now, an Internet freedom nonprofit, reported the blocking of dozens of sites including virtual private networks that would allow protesters to evade the bans and maintain anonymity online.

Secretary of State Mike Pompeo slammed Belarus. "We strongly condemn ... the use of internet shutdowns to hinder the ability of the Belarusian people to share information about the election and the demonstrations," he said in a statement.

Other countries including Iran have used similar tactics to silence public backlash following elections.

Tech companies are racing to acquire TikTok before the clock runs out on a ban. 

Doug Leone, Sequoia’s global managing partner and a Trump donor, has been pushing to find a way to save the company that Trump warns could be a vector for Chinese spying, Ellen Nakashima, Elizabeth Dwoskin, Jeff Stein and Jay Greene report. The venture capital's China-based affiliate invested in TikTok parent company ByteDance in 2014.

Trump gave a 45-day deadline last week for ByteDance to sell off its U.S. assets or the app would be banned. The effort underscores how the Trump administration’s national security moves against China could remake the face of U.S. social media.  

That's just one piece of the behind-the-scenes scrambling by investors and allies to convince the White House to allow for a sale of the app, rather than a ban. Treasury Secretary Steven Mnuchin also rallied Trump to allow for a sale of the app's U.S. business to a U.S. company to address the administration's security concerns. Microsoft is currently in talks to buy the app.

Hill happenings

Senate Homeland Security leaders want to expand a program to strip Huawei and ZTE from rural telecoms. 

The committee’s chairman Sen. Ron Johnson (R-Wis.) and top Democrat Sen. Gary Peters (Mich.) say equipment from sources like Huawei and ZTE could leave carriers vulnerable to cybersecurity risks and spying.

“As we become increasingly interconnected – especially during this pandemic – it is vital our telecommunications networks are secured against adversaries like the Chinese government,"  Peters said.  "We must have affordable and reliable telecommunications grids that can withstand national security and economic challenges."

Their new bill builds off the Secure and Trusted Communications Networks Act passed earlier this year. It would expand a reimbursement program that helps rural telecoms shed suspect components to include any telecom that has fewer than 10 million customers. The law previously only applied to telecoms with fewer than 2 million customers. 

The legislation is supported by members of the Federal Communications Commission and several associations for small carriers, the lawmakers said. 

Cyber insecurity

Nearly one-third of top-level cybersecurity executives said they have seen more attacks as a result the coronavirus pandemic.

Almost two thirds (64 percent) of top IT and cybersecurity executives believe their organizations are more likely to experience a data breach because of working from home and other shifts during the pandemic, according to a study by the cybersecurity firm HackerOne.


  • The Center for Strategic and International Studies (CSIS) will webcast a discussion on the threat posed by Chinese espionage and how the Department of Justice has been responding Wednesday at 3 p.m.

Secure log off

Election season is here: