On Monday a user of the popular video-conferencing software Zoom filed a class action lawsuit against the company for sending data to Facebook. The lawsuit argues that Zoom violated California's new data protection law by not obtaining proper consent from users about the transfer of the data.
"Defendant knew or should have known that the Zoom App security practices were inadequate to safeguard the Class members’ personal information and that the risk of unauthorized disclosure to at least Facebook was highly likely. Defendant failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information of Plaintiff and the Class members," the lawsuit, which was first reported by Bloomberg, reads.
By analyzing the network traffic of the Zoom iOS app, Motherboard found that when opened, the app sent information about the the user's device such as the model, the city and timezone they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user's device.
Days after Motherboard informed Zoom of the data transfer, the company issued a statement confirming the analysis. Zoom also pushed an update to the app to remove the code which sent the data.
Do you know anything else about data selling or trading? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
"Zoom appears to have taken no action to block any of the prior versions of the Zoom App from operating. Thus, unless users affirmatively update their Zoom App, they likely will continue to unknowingly send unauthorized personal information to Facebook, and perhaps other third parties. Zoom could have forced all iOS users to update to the new Zoom App to continue using Zoom but appears to have chosen not to," the lawsuit reads. (iOS users can see when an update for an app is available when they open the App Store.)
The lawsuit argues that Zoom has not ensured that Facebook has deleted the data, either. The lawsuit also claims that Zoom participated in unlawful and unfair business practices, and violated the California Constitution.
Zoom did not immediately respond to a request for comment.
Subscribe to our cybersecurity podcast, CYBER.