privacy

Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account

Zoom's privacy policy isn't explicit about the data transfer to Facebook at all.

by Joseph Cox
27 March 2020, 3:12am

Image: Rafael Henrique/SOPA Images/LightRocket via Getty Images

As people work and socialize from home, video conferencing software Zoom has exploded in popularity. What the company and its privacy policy don't make clear is that the iOS version of the Zoom app is sending some analytics data to Facebook, even if Zoom users don't have a Facebook account, according to a Motherboard analysis of the app.

This sort of data transfer is not uncommon, especially for Facebook; plenty of apps use Facebook's software development kits (SDK) as a means to implement features into their apps more easily, which also has the effect of sending information to Facebook. But Zoom users may not be aware it is happening, nor understand that when they use one product, they may be providing data to another service altogether.

"That's shocking. There is nothing in the privacy policy that addresses that," Pat Walshe, an activist from Privacy Matters who has analyzed Zoom's privacy policy, said in a Twitter direct message.

Upon downloading and opening the app, Zoom connects to Facebook's Graph API, according to Motherboard's analysis of the app's network activity. The Graph API is the main way developers get data in or out of Facebook.

Do you know anything else about data selling or trading? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The Zoom app notifies Facebook when the user opens the app, details on the user's device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user's device which companies can use to target a user with advertisements

The data being sent is similar to that which activist group the Electronic Frontier Foundation (EFF) found the app for surveillance camera vendor Ring sent to Facebook.

Will Strafach, an iOS researcher and founder of privacy-focused iOS app Guardian confirmed Motherboard's findings that the Zoom app sent data to Facebook.

"I think users can ultimately decide how they feel about Zoom and other apps sending beacons to Facebook, even if there is no direct evidence of sensitive data being shared in current versions," he told Motherboard in a Twitter direct message.

"That's shocking. There is nothing in the privacy policy that addresses that."

Zoom is not forthcoming with the data collection or the transfer of it to Facebook. Zoom's policy says the company may collect user's "Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products)," but doesn't explicitly mention anything about sending data to Facebook on Zoom users who don't have a Facebook account at all.

Facebook told Motherboard it requires developers to be transparent with users about the data their apps send to Facebook. Facebook's terms say "If you use our pixels or SDKs, you further represent and warrant that you have provided robust and sufficiently prominent notice to users regarding the Customer Data collection, sharing and usage," and specifically for apps, "that third parties, including Facebook, may collect or receive information from your app and other apps and use that information to provide measurement services and targeted ads."

Zoom's privacy policy says "our third-party service providers, and advertising partners (e.g., Google Ads and Google Analytics) automatically collect some information about you when you use our Products," but does not link this sort of activity to Facebook specifically.

Zoom did not respond to a request for comment.

Zoom has a number of other potential privacy issues too. As the EFF laid out, hosts of Zoom calls can see if participants have the Zoom window open or not, meaning they can monitor if people are likely paying attention. Administrators can also see the IP address, location data, and device information on each participant, the EFF added.

Subscribe to our cybersecurity podcast, CYBER.

This article originally appeared on VICE US.

Tagged:
Facebook
SDK
Coronavirus
privacy policy
data transparency
Software Development Kit
COVID-19