As people work and socialize from home, video conferencing software Zoom has exploded in popularity. What the company and its privacy policy don’t make clear is that the iOS version of the Zoom app is sending some analytics data to Facebook, even if Zoom users don’t have a Facebook account, according to a Motherboard analysis of the app.
This sort of data transfer is not uncommon, especially for Facebook; plenty of apps use Facebook’s software development kits (SDK) as a means to implement features into their apps more easily, which also has the effect of sending information to Facebook. But Zoom users may not be aware it is happening, nor understand that when they use one product, they may be providing data to another service altogether.
Videos by VICE
“That’s shocking. There is nothing in the privacy policy that addresses that,” Pat Walshe, an activist from Privacy Matters who has analyzed Zoom’s privacy policy, said in a Twitter direct message.
Upon downloading and opening the app, Zoom connects to Facebook’s Graph API, according to Motherboard’s analysis of the app’s network activity. The Graph API is the main way developers get data in or out of Facebook.
Do you know anything else about data selling or trading? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
The Zoom app notifies Facebook when the user opens the app, details on the user’s device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements
The data being sent is similar to that which activist group the Electronic Frontier Foundation (EFF) found the app for surveillance camera vendor Ring sent to Facebook.
Will Strafach, an iOS researcher and founder of privacy-focused iOS app Guardian confirmed Motherboard’s findings that the Zoom app sent data to Facebook.
“I think users can ultimately decide how they feel about Zoom and other apps sending beacons to Facebook, even if there is no direct evidence of sensitive data being shared in current versions,” he told Motherboard in a Twitter direct message.
“That’s shocking. There is nothing in the privacy policy that addresses that.”
Zoom is not forthcoming with the data collection or the transfer of it to Facebook. Zoom’s policy says the company may collect user’s “Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products),” but doesn’t explicitly mention anything about sending data to Facebook on Zoom users who don’t have a Facebook account at all.
Facebook told Motherboard it requires developers to be transparent with users about the data their apps send to Facebook. Facebook’s terms say “If you use our pixels or SDKs, you further represent and warrant that you have provided robust and sufficiently prominent notice to users regarding the Customer Data collection, sharing and usage,” and specifically for apps, “that third parties, including Facebook, may collect or receive information from your app and other apps and use that information to provide measurement services and targeted ads.”
Zoom’s privacy policy says “our third-party service providers, and advertising partners (e.g., Google Ads and Google Analytics) automatically collect some information about you when you use our Products,” but does not link this sort of activity to Facebook specifically.
Several days after Motherboard reached out for comment and a day after the publication of this piece, Zoom confirmed the data collection in a statement to Motherboard.
“Zoom takes its users’ privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data,” the statement read, and described the data being collected as the same sorts of information that Motherboard identified.
“To address this, in the next few days, we will be removing the Facebook SDK and reconfiguring the feature so that users will still be able to login with Facebook via their browser. Users will need to update to the latest version of our application once it becomes available in order for these changes to take hold, and we encourage them to do so. We sincerely apologize for this oversight, and remain firmly committed to the protection of our users’ data,” the statement added.
Zoom has a number of other potential privacy issues too. As the EFF laid out, hosts of Zoom calls can see if participants have the Zoom window open or not, meaning they can monitor if people are likely paying attention. Administrators can also see the IP address, location data, and device information on each participant, the EFF added.
Update: This piece has been updated to include a statement from Zoom.
Subscribe to our cybersecurity podcast, CYBER.