Computers, Privacy & the Constitution

View   r3  >  r2  ...
RisakoSuzukiFirstPaper 3 - 29 Apr 2022 - Main.RisakoSuzuki
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Changed:
<
<

Zoom litigation regarding a privacy issue

>
>
Zoom litigation regarding a privacy issue.
 
Changed:
<
<

1. Outline of the litigation

>
>
Outline of the litigation
 
Changed:
<
<
In the spring of 2020, 14 class-action complaints were filed against Zoom Video Communications (“Zoom”) which were consolidated into a single class-action suit by the U.S. District Court for the Northern District of California in May 2020. The claims of the class-action are as follows:
  • Zoom shared users’ personal data with third-party internet services such as Facebook, Google and LinkedIn? without any notice to users (the privacy issue); and
  • Zoom did not take appropriate measures and allowed hackers to interrupt online meetings through so-called “Zoombombing,” (a phenomenon where outsiders hijack Zoom meetings and display offensive messages or images) (the security issue).
>
>
In the spring of 2020, a class action was filed against Zoom Video Communications (“Zoom”) claiming that Zoom (i) shared users’ personal data with third-party internet services (the privacy issue) and (ii) did not take appropriate measures and allowed hackers to interrupt online meetings through so-called “Zoombombing” (the security issue).
 
Changed:
<
<
In August 2021, Zoom finally agrees to settle the lawsuit by paying a total of $85 million to users who have started using its application from March 30, 2016 to July 30, 2021. In detail, Zoom subscribers would be eligible to receive a 15 percent refund on their primary subscriptions or $25 — whichever is greater. Other users could receive a refund of up to $15.
>
>
In August 2021, Zoom finally agrees to settle the lawsuit by paying a total of $85 million to users who have started using its application from March 30, 2016, to July 30, 2021.
 
Changed:
<
<

2. Is this an appropriate solution for the issues?

>
>
What is the meaning of this class action?
 
Changed:
<
<

The deterrent effect of the $85 million payment

>
>
(1) Does it have the meaning of compensation for victims (consumers)?
 
Changed:
<
<
Generally speaking, $85 million is a large amount of money. It might seem to work as a deterrent against Zoom and other similar companies who treat customers’ personal information. However, thanks to the Covid-19, Zoom’s business has rapidly expanded. Only in the third quarter of the fiscal year 2022 (From August 1, 2021 to October 31, 2021, soon after the settlement of the aforementioned litigation), its revenue was total $1,050.8 million and even the net income attributable to common stockholders was $340.3 million. Thus, the payment of $85 million is unlikely to cause a serious impact on Zoom. While, of course, this litigation has a considerable impact on Zoom’s reputation, it does not effectively work as a deterrent against future privacy and security issues.
>
>
Although the total amount paid by Zoom is $85 million, the amount each Zoom user suffering a data breach and security breach can receive is very small (only $15, $25, or 15% of the subscription). Moreover, once personal information is leaked, such information may be diffused without limitation. It is impossible to calculate the amount of damages people whose personal information is leaked suffered, which means that such damages are not recoverable by monetary payment. Thus, this class action is virtually meaningless as compensation or relief for victims.
 
Deleted:
<
<

The nature of damage caused by personal information leakage

 
Changed:
<
<
In addition, as stated above, the amount each Zoom user suffering a data breach and security breach can receive is very small (only $15, $25 or 15% of subscription). Moreover, once personal information is leaked, such information may be diffused without limitation. It is not impractical to stop such diffusion or identify all receivers of such information and have them delete it. It is impossible to calculate the amount of damages people whose personal information is leaked suffered. In other words, such damages are not recoverable by monetary payment. Therefore, the regulations on personal information protection must be strict. In order to have companies who treat a lot of users’ personal information comply with such regulations, serious sanctions should be imposed by administrators (e.g. a great amount of surcharge, suspension of business), separately from civil litigation.
>
>
(2) The impact on the defendant company
 
Changed:
<
<

Is Zoom the only one to be held accountable?

>
>
(i) The materiality of an $85 million payout for Zoom
 
Changed:
<
<
Demand for Zoom and other similar online meeting services has greatly exploded during the Covid-19 pandemic. Many companies instructed their employees to conduct meetings via Zoom that had traditionally been conducted in person. Many schools stopped offering in-person classes and switched to Zoom classes. Those employees and students did not download Zoom application and create their Zoom account of their own will. They had no other choice but to start using Zoom application because without using it, they could not work in their company or they could not attend a class and graduate from their school. As a result of instruction by their employer or school, their personal information was shared with third-party internet services such as Facebook against their will.
>
>
Generally speaking, $85 million is a large amount of money. However, thanks to the Covid-19, Zoom’s business has rapidly expanded over these two years. According to Statista’s data, the total revenue of Zoom in the fiscal year 2019 (which means before the Covid-19 pandemic) was $330.52 million. However, in the fiscal year 2021, Zoom earned the almost same amount of money ($328.17 million) only in the first quarter. The total revenue in the fiscal year 2021 was $2699.89 million, which is about eight times as large as those in the fiscal year 2021 (https://www.statista.com/statistics/1105346/quarterly-revenue-zoom-worldwide/). For Zoom, $85 million is only 3% of the total revenue in the fiscal year 2021 which is unlikely to cause a serious impact on its business.
 
Deleted:
<
<
As stated above, the damage arising from the leakage of personal information is unable to be compensated by monetary payment by its nature. The government, companies, schools and any other entities which have constituent members must understand that, in this information society, new technologies usually entail security and privacy risks. They must also understand that those who will be exposed to such risks by the introduction of the new technologies are not the entities themselves but their constituent members. Therefore, even if a certain new technology is very convenient and seems to have a great positive impact on their business, such entities should carefully consider the privacy and security risks arising from the service and investigate whether the service provider takes appropriate protection measures. If they neglect such considerations and investigations before enforcing their employers or students to use new technologies and as a result have them expose security and privacy risks, such entities should be held accountable. The data privacy regulations should take such entities’ responsibility and obligations into account.
 
Changed:
<
<
You can condense this discussion substantially. All the relevant facts can be put in four sentences. The questions you are presently asking can all be rendered in another 250 words.
>
>
(ii) Is the class-action useful for discovering the truth?

Although the payout of the settlement money is not material for defendant companies, they are required to bear a lot of litigation costs and allocate human resources for the preparation of the class action. Also, a prolonged class action may cause serious reputation risk. Thus, even though the defendant believes that the claims in the class action are unreasonable, the incentive to settle the case by paying a certain amount of money is strong, especially for large companies with huge revenue. For example, in 2012, Toyota agreed to pay more than $1 billion to settle a class-action lawsuit related to issues of unintended acceleration in its vehicles where plaintiffs claimed that Toyota’s electronics systems were at fault (https://www.nytimes.com/2012/12/27/business/toyota-settles-lawsuit-over-accelerator-recalls-impact.html), while United States Department of Transportation finally concluded that such systems were free from defect. Thus, class action litigation is not always useful for discovering the truth.

(3) Whom does the class-action benefit the most?

As stated above, the class action system does not work effectively as relief for victims, does not have a serious impact on defendant companies, and does not contribute to the discovery of truth. So, who has the incentive to cause the class action? Who receives the benefits from it? The answer is lawyers. In the Zoom class action case, the amount of lawyer fees is $21.25 million (https://legalnewsline.com/stories/619627763-zoom-class-action-nearly-final-lawyers-to-take-21m-if-settlement-approved). So, it may be no exaggeration to say that the class action is used as a tool by which lawyers squeeze money from large companies not for clients (consumers) but for their own sake.

Who is accountable for consumers’ privacy?

The damage arising from the leakage of personal information is unable to be compensated by monetary payment by its nature and the ex-post class-action does not provide meaningful relief. Thus, of course, consumers themselves must consider how to protect their privacy. However, in the Zoom case, many companies and schools instructed their employees or students to start using Zoom. Those employees and students had no other choice but to use the Zoom application because without using it, they could not work in their company or could not attend a class and graduate from their school. As a result of instruction by their employer or school, their personal information was shared with third-party internet services such as Facebook against their will. Thus, the government, companies, schools and any other entities which have constituent members must understand that, in this information society, new technologies usually entail security and privacy risks. They must also understand that those who will be exposed to such risks by the introduction of the new technologies are not the entities themselves but their constituent members. Therefore, even if a certain new technology is very convenient and seems to have a great positive impact on their business, such entities should carefully consider the privacy and security risks arising from the service and investigate whether the service provider takes appropriate protection measures.

 
Deleted:
<
<
What you have not done is explain what happened. Consumer class actions of this kind are profitable to the lawyers ho bring them. You could have compared this action to other consumer class actions in and out of the online services context. You could also have assessed the materiality of an $85 million payout in light of Zoom's revenue windfall during the pandemic. You might also have mentioned the criminal proceedings against Zoom employees, which put the nuisance lawsuits by consumer-rights counsel in another perspective.
 

Revision 3r3 - 29 Apr 2022 - 20:49:11 - RisakoSuzuki
Revision 2r2 - 02 Apr 2022 - 17:18:54 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM