If it finalizes they are offering to send me $15 ?
That is not enough for the damage to my reputation and that of my business. I recommended them to others for privacy important things and showed the advertised 'e2e' that was advertised approved by us gov.
I also used it with several other security professionals to work in tandem on hacked servers. Passwords were not obfuscated do to our belief in the e2e.
Shouldn't we get an opt-out of the class action email?
it's pretty obvious that corporate crime pays exceedingly well. makes mathematical sense for corporations to do bad things for profit since we aren't a society that is capable of holding corporations financially accountable for their negative actions
Lots of people these days are operating primarily on fear; when you are in that sort of pattern-matching mode, any new or unknown situation will by default be evaluated as a potential threat.
Perhaps we should stop creating so many "heads I win, tails you lose" situations for huge swaths of the population. That might have something to do with an overall culture of fear, uncertainty, and doubt in general.
I hate it, but that's definitely plausible. From that angle really anyone should be very hesitant - which is beyond depressing considering how much good vaccines do.
It's possible that if a representative class member files an objection it could create problems for the class action lawyers trying to get their settlement approved. They may not get their money as expected. Needless to say, given the amount of time and money some invest in these cases, they really want to get these settlements approved without objection so they can get paid.
Many people are probably familiar with receiving notifications about being eligible to receive some token payment as settlement for some lawsuit they never knew existed, if they follow steps X, Y and Z. But how many people know they can follow steps A, B and C and file an objection instead.
It's like changing defaults, opting out of advertising, using an ad blocker, running a PiHole, etc. If you do nothing, you get ads and a crappy experience. That's the default. To get a better experience you have to take action.
The default here is you ignore the notice and get nothing or you respond and get maybe a token payment, the lawyers get large payments and the company gets off the hook, limits their liability and avoids any admission of wrongdoing. If you want a better experience, you have to take action and file an objection.
I think this highlights a problem in trusting 3rd party services just because they claim to have high quality of service. As a security prof, I am surprised you didn’t just try to intercept the zoom conversations and see if they actually are encrypted before trusting them. I know being busy can prevent things like that from happening but the problem is people were using this and similar services to work on other peoples data who never had used zoom. This means that it’s very likely that our participation is not even required for our private information to be stolen.
you are right.
I recall reading an HN comment a while back where someone did check the data on the wire with one of those 'no-name cheap wifi home cameras' that claimed encryption for privacy and they did see scrambled stuff - so good.
But I also recall a recent comment (I think from a saas founder?) - where they don't claim E2E with thier service as it's using webrtc(?) that needs to decrypt at the relay (stun/turn?) server - then re-encrypt to deliver.
(Which is how I will be preferring ro deliver with webrtc so to avoid direct p2p and ipaddy leaking (trading a user to user privacy for trust in the server relay - good for my situation, not what I'd suggest for most other)
anyhow - that kind of thing would get tricky, is the soft wiregaurd? that is used to peek at the traffic - would (could) show encrypted stuff leaving my box - and give me a false sense of security if zoom was decrypting in the middle - I guess I'd need to find if the data was going p2p somehow. (still learning to be security professional)
we need some way to codify parts of your comment into law, and into people's understanding of the need to have encryption for data others get to play with. - There is a tinge of this in the hippa.
Granted it only concerns US users so this figure is not strictly correct, but it shows privacy in a global service is a central problem that cannot be litigated for in a specific jurisdiction.
This awards members of the class at most $25 - which might materially mean something to an individual (unlikely), but is virtually nothing; furthermore as an accounting line item for Zoom, this is literally not worth batting an eye at. Yes there will be knock on effects of "better training" and scrutiny of messaging/security both internally and externally, but it will effect practically 0 change to their overall bottom line or revenue/profit projections, and there is obviously no legal precedent set or oversight changes that will aid end users moving forward. yay.
What does all of that cost? $21M[2] to law firms. I won't go into the insanity and inanity of billable hours and the profit machine of law in this country, but that point is simply to underscore that those legal firms are the second winners in this. Despite their position and goal - ostensibly and in name only - of aiding the members of the class in seeking a just and fair reward for wrongdoing and bad faith by Zoom.
Meanwhile, as others have commented, reputations and contracts have been burned and sullied, and doubtless money lost along with that, but our legal system is not interested in trying to attach responsibility or reparation to those effects (because they can't necessarily be proven as fault of Zoom).
Depends on how they ask. If I have to scroll through a list of 400 partners and uncheck ”legitimate interest” for each one, there is definitely an issue.
>If I have to scroll through a list of 400 partners and uncheck ”legitimate interest” for each one, there is definitely an issue.
Certainly. And they know it's an issue. And they know next to no body will sit there an un-check those options. Such dark patterns are replete in this industry. They know, if given the choice, very few people would opt-in. They know this and it continues every day.
The discourse on this is interesting to me. I first heard it in reference to truly small fines, like less than a million dollars for a big company. Then over time it gets repeated for literally any fine, no matter how large. Now we are talking about a month’s worth of profits (Zoom’s profit last quarter was $227M), which is really quite a lot. It’s a similar magnitude event to a global company losing all its UK customers. Hundreds of people would be laid off for a screwup this big, whole business units shut down.
Yeah, but I don't think you're seeing the big picture.
Entire companies are created and grown based on these dark patterns, which, because the law moves slowly, are not yet fully illegal in a open and shut kind of way.
The punishment doesn't deter enough, because Zoom has been making a ton more money off this and will continue to do so.
It's a bit like Ford's: "Don't ask me how I made my first million", that first million being the hardest part (once you have 999 million, getting to 1 billion is trivial).
And it sets a damaging precedent that deters honest participants. Companies like Uber that "growth hack" by ignoring the law wherever they expand (and react to the consequences with an army of lawyers and lobbyists) mean that anyone not willing to do the same can't compete.
If breaking the law is a net benefit for companies, then the only companies you'll be left with in a competitive space are the ones that break the law. So the fines have to be _huge_ to make any meaningful difference.
OTOH the laws that Uber ignores (and then later forces to change) are often a cause of stagnation, and no company would work to get them changed _before_ setting up shop, because even if they succeed then they've just paid the price of admission for all their competitors, too. So I guess I don't have a real solution to offer.
It’s one off write off during earnings call. It’s really not a big deal at all, it can even cause stock price to pop, as it shows that company is big enough, that lying is cheap and gives you amazing ROI. E2EE was a big feature that helped to fuel the growth. One month of profits, once you’ve experienced extreme growth and tons of money infusion, is a great deal.
> Then over time it gets repeated for literally any fine, no matter how large.
I mean, I think it's worthwhile to compare and see how you'd think about this, right? $3k fine seems high in the abstract to me. Then again, if it's viewed as a kind of tax for going from $25k/year in annual income to $100k/year – eh, doesn't sound like much. What do you think?
> Hundreds of people would be laid off for a screwup this big, whole business units shut down.
I am actually curious to see if that's the case – are there any reports of such shutdowns/layoffs?
Zoom's quarterly revenue is nearly a billion dollars. And given that this is a one-time payment, it seems hyperbolic to compare it to losing customers. Really, this fine was a cost of acquiring customers that they were able to defer for years.
I don't think Zoom is profiting from breeching privacy; I think they profit from providing video-meeting software. I think penalizing undesirable behavior that doesn't produce profit will motivate Zoom to take that undesirable behavior very seriously.
Is that $3,300 the reason why I have a $100K job instead of a $50K job? If so, I wouldn't even flinch at paying that.
Many moons ago, lawyers used to crash the carpool lanes in Washington, DC for about that price given the time they would save and the amount they could bill. The firms just started paying the fines. It wasn't until the penalty started having points and could cost you your drivers license that the behavior stopped.
Yeah usually a $3,300.00 ticket comes with some form of demerits so even if you pay the fine you lose your license if you do it to much. Can't think of a job where you'd benefit by speeding but losing your license would be fine.
That's a substantial fee for a human making $100k per year (plus taxes), but I don't think we should be comparing what's a reasonable fine for a person vs a business.
I understand that a person and a business are different, but it's worth contrasting if numbers are roughly in the same ballpark, right? A lot of businesses do start out as just one person.
In a year with like 300% revenue growth, I feel like Zoom can probably just treat this fine as cost of doing business. I mean, I pay a lot more than $3k in taxes per year!
Taking 3.3% of someone's income is substantial, whereas for a business, this is a cha-ching deal for potentially getting a business edge by not focusing on privacy rules when momentum mattered.
Most businesses are structured such that failing isn't disastrous (creditors cannot chase after the owners), whereas a human experiencing financial failure is an extreme life setback.
Not to mention the compounding effects of getting that business advantage earlier than others in the same space. If you can lie and say you have e2e encryption to scoop up market share before anyone else, even if the bare-faced lie gets revealed like it did here, not all of the clients who signed up are going to leave you, and you already have market inertia as a big player that will help you keep growing.
One of the best things about the GDPR isn't that the maximum fine is _only_ 4% of the yearly revenue, it's that it's AS MUCH AS 4% of the yearly revenue.
So when the court is considering fines, they don't go and look at a 3 million dollar fine and go "that's a good fine", they look at the revenue instead and go "the fine can be as much as 400M"
What value to society do small per-user judgements bring?
They tend to be a negligible percentage of revenue, involve the company denying wrongdoing, and giving an amount valuing a gumball and a mcdonalds meal to people. Really what is the point?
But what percentage of profit? And far more importantly, are they large enough to serve as a disincentive for others to do the same thing in the future? I'd suggest that the popularity of binding arbitration clauses is evidence that the fines are noticeable.
(Note that I refer to class actions in general, not Zoom specifically.)
> And far more importantly, are they large enough to serve as a disincentive for others to do the same thing in the future?
Considering that 100% of the popular social networks were built on these practices, no. They risk fines of hundreds of millions, maaaaybe billions at most, and they make tens of billions.
Sure, there are exceptions. But in general it would appear that class actions are an effective deterrent to a wide variety of undesirable behavior. That they fail in a few highly visible edge cases means they are imperfect - not useless.
> What value to society do small per-user judgements bring?
They impose some cost on unlawful behavior where the alternative, were they prohibited, would usually be no cost; plaintiff’s attorneys would seek more if the EV of going to trial was enough greater to compensate for the risks, so if you ban the low $/user settlements z you aren't getting bigger settlements, you are get fewer class actions filed even with meritorious claims.
Class actions largely exist for diffuse harms where low per-class-member damages make it not worth individual direct action lawsuits, so banning small per-member awards is effectively eliminating recovery in most of the space class actions exist to serve, outside of suicide-bomber litigants (that is, litigants who are willing to take a negative EV to make sure that a wrongdoer pays.)
>It also accused Zoom of misstating that it offers end-to-end encryption...
I really think that we need some sort of standard definition for what this actually means. Pretty much everything claims E2EE these days just as long as there is some sort of encryption used somewhere in their system. Many (most?) are not doing something that would mean that only the end users would have access to the content, even in the face of assertive actions by the provider. Many get the technical details right but fail to properly inform the user about any critical actions required on the part of the user to make that possible.
Providers of such things should be expected to explicitly state who you need to trust and under what circumstances.
When they say sharing data with Google, Facebook, and LinkedIn, is this intentional sharing for their profit or is this a side effect of using things like the Facebook SDK to support Log in with Facebook?
If they're using these third party services they should absolutely have that listed in their privacy policy, but even if the end result is the same, the intention is completely different between the two.
Did zoom not have forced arbitration? When can forced arbitration turn into a class action?
The courts are public and law can be made from new interpretations and context (precedent). Coinbase, Kraken, etc have forced arbitration. Can this be overturned when a new interpretation (say securities law) could be made by a court in the open, vs arbitration which is private?
When I visit this BBC article I get a pop up asking me to sign in and then my browser just freezes up and becomes very unresponsive. This is Safari on iOS. Anyone else experiencing the same?
Never use any closed-source software if privacy is important. With closed-source software, always assume that there is zero privacy, all your data will be shared with third parties, and your system is compromised.
That is not enough for the damage to my reputation and that of my business. I recommended them to others for privacy important things and showed the advertised 'e2e' that was advertised approved by us gov.
I also used it with several other security professionals to work in tandem on hacked servers. Passwords were not obfuscated do to our belief in the e2e.
Shouldn't we get an opt-out of the class action email?