Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our Cybersecurity & Privacy newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (April 13, 2020, 10:54 PM EDT ) Facebook and LinkedIn have been secretly harvesting personal information from Zoom users to boost their revenues, according to a putative class action filed in California federal court Monday that targets both the social media sites and the newly ubiquitous video conferencing platform.
Zoom Video Communications Inc. — whose popularity has exploded since the onset of the coronavirus pandemic — is already facing several lawsuits brought by users and shareholders during the past month that accuse the company of unlawfully sharing personal data with third parties such as Facebook and of misrepresenting the nature of its privacy and data security practices.
The newly filed lawsuit echoes many of these allegations against Zoom, while also drawing in social media giants Facebook Inc. and LinkedIn Corp., which plaintiff Todd Hurvitz claims "eavesdropped" on what Zoom users thought were private communications between them and the company's servers in order to scoop up valuable personal information.
"Zoom, Facebook and LinkedIn violated American citizens' fundamental right to privacy, a right that is of heightened importance as millions shelter in place and communicate primarily online during the pandemic," one of Hurvitz' attorneys, Scott R. Drury of Loevy & Loevy, said in a statement Monday. "This action seeks to right those wrongs and let the defendants know they cannot trample on people's rights."
According to the new 70-page complaint, Facebook and LinkedIn, with assistance from Zoom, collected unwitting Zoom users' personal information by "willfully and intentionally using a recording device to record and eavesdrop on ... communications between the participants' computers and defendant Zoom's server."
In the case of Facebook, Zoom allowed users of Apple's iOS operating system to log into the videoconferencing service through a Facebook plugin, according to the complaint. This feature enabled Facebook to surreptitiously collect personal data such as persistent identifiers, IP addresses, timezone details and device information about all Zoom users, including those who didn't have a Facebook account and hadn't used the login tool, Hurvitz alleged.
Facebook then used this information to "amass increasingly detailed profiles on Zoom users showing how, when and why they used Zoom, along with other inferences that could be drawn therefrom," even if users had taken steps to keep their identities anonymous, according to the complaint.
Facebook seized on these profiles to boost its targeted advertising business, while Zoom also profited from its newly enhanced ability "to more accurately target users for additional services and to convert them to paying customers," the plaintiff claimed.
Facebook on Tuesday denied that Zoom's use of the Facebook software development kit, or SDK, enabled the social media giant to "eavesdrop" on Zoom calls.
"The SDK is not designed to and did not share such content," a Facebook spokesperson told Law360. "The lawsuit has no merit, and we will defend ourselves vigorously."
LinkedIn is accused of engaging in similar conduct, with the complaint specifically targeting the LinkedIn Sales Navigator app that Zoom users can integrate into the videoconferencing platform.
The app allowed Zoom video meeting hosts who installed the feature to "view LinkedIn details of meeting participants, even when those participants sought to keep their personal details anonymous," and enabled LinkedIn to collect participants' persistent identifiers and other details that could be used to identify all participants, even when the meeting host wasn't using Navigator, according to the complaint.
LinkedIn on Monday called the plaintiff's allegations about the company "baseless."
"We give our members choices over what information they share and honor their settings," LinkedIn spokeswoman MK Juric said in an emailed response. "Additionally, the integration between Zoom and LinkedIn Sales Navigator was suspended and is no longer available."
The complaint additionally accuses Zoom of unlawfully disclosing users' personal information and misrepresenting the security measures it had in place to protect Zoom users' video communications.
The plaintiff asserted that none of Zoom's privacy policies disclosed the extent to which Facebook or LinkedIn could obtain users' personal information, and that Zoom had actively "concealed, suppressed and omitted from disclosure various flaws in its products until they [were] publicly disclosed by third parties, knowing that the disclosures could harm its business."
Zoom declined to comment on the new complaint.
As a result of all three companies' conduct, the plaintiff and proposed class members "have suffered and will continue to suffer severe consequences" in the form of various injuries and damages, including the diminished value of their personal information, lost time associated with reviewing and trying to stop unwanted advertising; the loss of privacy and the loss of their ability to control the sharing and sale of their personal information, according to the complaint.
The plaintiff, who is a California resident, is seeking to represent a nationwide class as well as a California subclass comprised of all individuals and businesses "whose personal or private information was unlawfully collected, disclosed and/or used by Zoom, Facebook and/or LinkedIn upon the installation, opening, closing or use of the Zoom app."
The 17-count complaint requests damages and equitable, injunctive and declaratory relief for a range of claims, including unjust enrichment, intrusion upon seclusion and invasion of privacy under the California Constitution.
The suit also alleges that Facebook's and LinkedIn's alleged interception of Zoom participants' information without users' knowledge or consent violated the California Invasion of Privacy Act and that all three defendants' purported failure to comply with the California Consumer Privacy Act and other relevant legal obligations violated the state's law prohibiting unlawful, unfair and fraudulent business practices.
As the orders for people to stay at home to contain the spread of the novel coronavirus have expanded, the demand for the remote conferencing services offered by Zoom has skyrocketed, with the company recently reporting that it had hosted a company record of more than 200 million daily meeting participants in March.
But the surge has also brought increased attention to Zoom's privacy and security practices, with lawmakers, consumer advocates, state attorneys general and class action plaintiffs in recent weeks stepping up pressure on the company to address suspected data misuses and security vulnerabilities.
The new complaint filed Monday claims that these concerns are nothing new, with the filing detailing a "long history of lax security practices and deceptive data privacy practices" at Zoom, Facebook and LinkedIn. Hurvitz specifically cited numerous warnings that have been issued to Zoom about defects that could expose user data; a series of privacy missteps at Facebook that led to a record $5 billion privacy settlement with the Federal Trade Commission; and a 2010 data breach that exposed 6.5 million LinkedIn users' passwords, among other incidents.
Hurvitz is represented by Scott R. Drury, Mike Kanovitz and David B. Owens of Loevy & Loevy.
Counsel information for Zoom, Facebook and LinkedIn was not immediately available.
The case is Hurvitz v. Zoom Video Communications Inc. et al., case number 2:20-cv-03400, in the U.S. District Court for the Central District of California.
--Editing by Emily Kokoll.
Update: This article has been updated to add comment from Facebook and to reflect that Zoom declined to comment.
For a reprint of this article, please contact reprints@law360.com.