The ongoing coronavirus pandemic has forced people to work from home and rely on collaboration and video conferencing apps like Zoom and Microsoft Teams. While the major players are experiencing a boom, it looks like they have been playing fast and loose with privacy.
A research conducted by Motherboard has revealed that Zoom’s iOS app is sharing analytics data with Facebook even when the user doesn’t have a Facebook account. According to Motherboard, the data collected includes the time the app is launched, device and location information, and phone carrier. The analytical data collected can be used to create targeted ads.
I think users can ultimately decide how they feel about Zoom and other apps sending beacons to Facebook, even if there is no direct evidence of sensitive data being shared in current versions.
– Will Strafach, iOS researcher and founder of privacy-focused app Guardian
The reason Zoom has been able to do this efficiently is because it uses Facebook’s own Developer SDK. This means that every time the app is launched, it makes a connection with Facebook’s Graph API which can be used for data collection. Zoom’s policy notes that the app will be collecting data but it doesn’t explicitly mention that the data is shared with Facebook even if a person doesn’t have a Facebook account. Zoom’s policy says the company may collect user’s “Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products).”
Facebook told Motherboard that if companies are using their SDKs then they need to be transparent about the data collection and privacy. Facebook’s terms say “If you use our pixels or SDKs, you further represent and warrant that you have provided robust and sufficiently prominent notice to users regarding the Customer Data collection, sharing and usage,” and specifically for apps, “that third parties, including Facebook, may collect or receive information from your app and other apps and use that information to provide measurement services and targeted ads.”
Unfortunately, this is not the first time that the company has been caught with its pants down. Back in 2019, a researcher uncovered a bug that allowed hackers to take control of webcams without the knowledge of the user. Earlier EFF pointed out how hosts can monitor the participants and know if a window the Zoom window is in focus or not and if users record the video call, then Zoom administrators are able to “access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges”.