Security Experts:

Zoom Updates Privacy Policy After Experts Raise Concerns

Remote conferencing services provider Zoom Video Communications (NASDAQ: ZM) this week updated its privacy policy following the publishing of a series of reports raising concerns regarding the privacy of Zoom users.

Headquartered in San Jose, California, Zoom provides users with a platform that combines video and audio conferencing, online meetings, chat, screen sharing, and more.

With the current COVID-19 pandemic forcing many to work from home and start using services such as Zoom for collaboration purposes, investigative journalists and web veterans decided to have a look at how well the platform protects users’ privacy, and the findings were by no means encouraging.

Earlier this month, articles on Mashable, EFF, Forbes, and Consumer Reports, among others, heavily criticized Zoom for not ensuring that users’ privacy is well protected, which encouraged web veteran Doc Searls to have a look into the matter as well.

Zoom “collects personal information about its users and doesn't provide a lot of detail about how it's used for advertising, marketing, or other business purposes,” investigative journalist Allen St. John noted in an article on Consumer Reports last week.Zoom raises privacy concerns

St. John also underlined that Zoom hosts can gather a great amount of information on participants without them being aware, that the host can record the conference, transcribe it automatically, and share information with third-parties.

EFF too pointed out that Zoom hosts could monitor attendees’ activity while screen-sharing, could see whether a participant has the Zoom window in focus or not, and that administrators can view “how, when, and where users are using Zoom,” and can access the contents of recorded calls, including “video, audio, transcript, and chat files.”

One other recently surfaced issue related to Zoom video calls was that any participant could share their screen without the host granting screen share access — the feature can be disabled in pre-meeting settings — which led to situations where attendees were assaulted with violent or pornographic videos.

Last week, news also got out that Zoom’s iOS application was sharing analytical data with Facebook, even for those users who did not have a Facebook account. The company was quick to remove the code from its application.

“Zoom’s privacy policy stated that the company might collect a user's Facebook profile information when Facebook is used to log-in, however, it didn’t mention sending data to Facebook,” Terence Jackson, CISO at Thycotic, told SecurityWeek.

Chris Hazelton, director of security solutions at Lookout, revealed to SecurityWeek that even the updated version of Zoom’s iOS app continued to communicate with Facebook APIs.

“Zoom did update their app with version 4.6.9, which was updated to three days ago for ‘Improvements to Facebook Login’. The app communicates with IPs in the US, China, India, and Germany. This is to leverage APIs from Alibaba, Box, Dropbox, Facebook, Google, Microsoft, RingCentral, WeChat and QQ,” Hazelton said.

In a series of blog posts last week, Doc Searls took a dive into Zoom’s privacy policy to better understand how the company leverages the personal data it harvests from its users and whether it makes money from selling that data.

“A person whose personal data is being shed on Zoom doesn’t know that’s happening because Zoom doesn’t tell them. There’s no red light, like the one you see when a session is being recorded. […] in the Zoom app, you can’t tell if or how your personal data is being harvested,” Searls noted on March 24.

In a post on March 28, he also pointed out that the company wasn’t making it easy for users to completely opt-out of the data collection practice. Looking at the cookies present on Zoom’s website, Searls discovered that there were 16 CCPA opt-out “required cookies,” along with 70 “functional” and “advertising” cookies.

The issue, he notes, is that any of those up to 70 third parties could gather and share data about Zoom users, and target them with “interest based” advertising. And even Zoom’s attempt to shed some light into the matter did not provide enough ease of mind.

“The Zoom services do not contain advertising cookies. No data regarding user activity on the Zoom platform – including video, audio and chat content – is ever used for advertising purposes. If you do not want to receive targeted ads about Zoom, simply click the “Cookie Preferences” link at the bottom of any page on the zoom.us site and adjust the slider to ‘Required Cookies’,” a Zoom partner company told Searls.

On Sunday, however, Zoom updated its privacy policy to tell users that they should not be concerned about their privacy when using Zoom’s services, but also to note that its home pages, zoom.us and zoom.com, are “marketing websites.”

“We obtain data when you use Zoom in order to deliver our services and provide a better experience to you. The categories of data we obtain when you use Zoom include data you provide to us as well as data that our system collects from you,” Zoom’s privacy policy reads.

The company says it does not sell any user data to marketing companies or advertisers, and that access to user data is provided to third-parties only if the user provides consent.

“We do not use data we obtain from your use of our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You have control over your own cookie settings when visiting our marketing websites,” Aparna Bawa, chief legal officer at Zoom, explains.

Bawa also notes that the company does not sell users’ personal data, that it does not monitor meetings, that it records meetings only when asked by hosts, that it collects only data required to provide Zoom services, and that it is focused on protecting the privacy of K-12 users.

On Monday, The New York Times reported that Zoom is under scrutiny by New York’s attorney general, Letitia James. In a letter sent to the company on Monday, the AG requested details on the security measures put in place to meet increased demand for Zoom services and to ensure the security of users.

Related: Vulnerability Allowed Attackers to Join Zoom Meetings

Related: Vulnerability Gives Attackers Remote Access to Zoom Users’ Cameras

view counter