Zoom changes privacy policy following online uproar

How to join a zoom meeting
(Image credit: Zoom)

Zoom, suddenly very popular as millions of Americans work and take classes from home during the coronavirus pandemic lockdown, may be collecting personal data about you from its videoconferencing sessions to share with advertisers. That's according to privacy advocates paying close attention to Zoom's legal language.

Before you look up how to delete Zoom or try one of several Zoom alternatives, know that Zoom must be reading the bad press. On March 29, it rewrote its privacy policy to strip out any incriminating-sounding passages and added a preface to say that "we do not sell your personal data."

In a related development, Zoom scaled back the amount of personal data its iOS app sent to Facebook as part of its "Log in with Facebook" feature, which Vice flagged in a story last week.

Zoom is "creepily chummy with the tracking-based advertising biz," warned David "Doc" Searls, a prominent technology writer, in a series of blog posts over this past weekend. "Zoom is in the advertising business, and in the worst end of it: the one that lives off harvested personal data."

We'd cite some of the passages from the Zoom privacy policy about sharing personal information with marketers that Searls used to illustrate his concerns, but Zoom deleted them all yesterday.

"Zoom doesn't need to be in the advertising business, least of all in the part of it that lives like a vampire off the blood of human data," Searls wrote. "If Zoom needs more money, it should charge more for its services, or give less away for free." 

Likewise, Consumer Reports said in its own warning about Zoom, "Zoom Calls Aren't as Private as You May Think", posted last week: "Zoom collects personal information about its users and doesn't provide a lot of detail about how it's used for advertising, marketing, or other business purposes."

Zoom Chief Legal Officer Aparna Bawa countered the allegations in the foreword to the Zoom privacy policy that was added yesterday. Addressing users directly, she stated that, "Whether you are a business or a school or an individual user, we do not sell your data."

"Zoom collects only the user data that is required to provide you Zoom services," Bawa wrote. "For example, we collect information such as a user’s IP address and OS and device details to deliver the best possible Zoom experience to you regardless of how and from where you join."

Smile, you're being recorded online

One of Searls' and Consumer Reports' chief concerns was that people hosting a Zoom conference can record the session for playback later. 

That's not an especially unusual feature, as it would be helpful to anyone who missed a meeting or needed to review what was said, but Consumer Reports argues that the red light that pops up on the user's screen during recording is small and easy to miss. 

"For people using Zoom for telemedicine or to access mental health services, or for sharing any information that they don't want disclosed to others, knowing that a recording is being made and how that recording is being stored is important information." Consumer Reports privacy researcher Bill Fitzgerald said.

In the preface to the Zoom privacy policy, Bawa wrote: "We alert participants via both audio and video when they join meetings if the host is recording a meeting, and participants have the option to leave the meeting."

iOS updated to strip out device details

On Friday (March 27), Zoom updated its iOS app following a Vice story that analyzed the app and found that it sent an iPhone's model, carrier, time zone, city and advertising ID to Facebook.

"Plenty of apps use Facebook's software development kits (SDK) as a means to implement features into their apps more easily, which also has the effect of sending information to Facebook," Vice's Joseph Cox wrote March 26. "But Zoom users may not be aware it is happening, nor understand that when they use one product, they may be providing data to another service altogether."

Zoom itself was unaware that the Facebook SDK "was collecting device information unnecessary for us to provide our services," Zoom founder and CEO Eric S. Yuan wrote in a blog post.

"We decided to remove the Facebook SDK [software development kit] in our iOS client and have reconfigured the feature so that users will still be able to log in with Facebook via their browser," Yuan wrote.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.