Zoom Video Communications added more users in the first quarter than all of 2019 due to COVID-19, but that increase has prompted complaints and lawsuits around security and privacy.

This week, the FBI issued a warning that video teleconferencing (VTC) hijacking, also called “Zoom-bombing,” is emerging nationwide. The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language.

The FBI Boston Division cited an instance last month in which a high school teacher was conducting an online class using Zoom when an unidentified individual(s) dialed into the classroom, yelled a profanity and then shouted the teacher’s home address in the middle of instruction.

In addition, the New York Attorney General’s office sent a letter to Zoom with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security. Channel Partners couldn’t obtain a copy of the letter, but a New York Times report said the letter outlined several concerns and that the company had been slow to address security flaws such as vulnerabilities that could enable malicious third parties to, among other things, gain secret access to consumer webcams.

In addition, Zoom faces a class-action lawsuit in California for allegedly giving users’ personal data to outside companies including Facebook without fully informing customers. The plaintiff is Robert Cullen, a California resident who downloaded, installed and opened the Zoom app.

According to the lawsuit, while use by consumers and businesses has exploded due to COVID-19, Zoom “has failed to properly safeguard the personal information of the increasing millions of users of its software application, Zoom App, and video conferencing platform.” The lawsuit also alleges Zoom violated the California Consumer Privacy Act (CCPA).

Zoom notifies Facebook when a user opens the app with details on the user’s device, such as the model, the time zone and city they are connecting from, which phone carrier they are using and a “unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements,” according to the complaint.

The unauthorized information is sent to Facebook when a user installs and each time a user opens the Zoom app, according to the complaint. The information is sent to Facebook regardless of whether the user has a Facebook account, it said.

Had Zoom disclosed that it would “use inadequate security measures and permit unauthorized third-party tracking of their personal information,” Cullen and other plaintiffs would not have been willing to use Zoom, according to the complaint.

Zoom’s Aparna Bawa

In a blog, Aparna Bawa, Zoom’s chief legal officer, said Zoom does not sell its users’ data, it has never done so and has no intention of doing so going forward. It also does not monitor meetings or its contents, and complies with all applicable privacy laws, rules and regulations in the jurisdictions in which it operates, including the General Data Protection Regulation (GDPR) and the CCPA, she said.

“We are not changing any of our practices,” she said. “We are updating our privacy policy to be more clear, explicit and transparent.”

For those hosting large, public group meetings, Zoom encourages hosts to review their settings, confirm that only the host can share their screen, and utilize features like Waiting Room and host mute controls. For those hosting private meetings, password protections are on by default and Zoom recommends that users keep those protections on to prevent uninvited users from joining.