Zoom Privacy Policy is a Risk

Updated 4/01/20

Updates:

  • 4/01/20: MIT Tech Review summarizes the security issues with Zoom, including information about a Class Action Lawsuit.
  • 3/31/20: Vice.com reports that Zoom is leaking personal emails and photos to strangers.
  • 3/31/20: The Intercept reports that Zoom is not using End to End Encryption as claimed in their marketing materials and user interface. 
  • 3/31/20: New York Times reports that Zoom, the videoconferencing app whose traffic has surged, is under scrutiny by the New York attorney general’s office for its data privacy and security practices.
  • 3/30/20: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic

On March 18, 2020, the Zoom.us posted changes to its privacy policy that impact all users, even those without accounts attending meetings as guests.  This change follows a dramatic increase in Zoom users (and stock price), as Zoom has been offering its services for free to many businesses and schools.

Under this version of the Zoom’s privacy policy, Zoom is collecting more information, in our assessment, than is necessary to provide users with the service. Zoom also acknowledges providing this information to third parties. The information Zoom is collecting includes, but is not limited to:

  • Name, physical address, and other similar personally identifying information
  • Information about your job, such as your title and employer
  • Your Facebook profile information (when you use Facebook to log-in to Zoom or to create a Zoom)
  • General information about your product and service preferences (including software installed and/or in use on your computer)
  • Information about your device

Per Zoom’s policy, downloading and using the Zoom app provides Zoom with consent to share any personal information they collect with third parties.

In reference to the use of third party services, the policy states

“We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services).”

In other words, Zoom may use the personal information of any person using their services to market to that person across their use of the Internet.

Additionally, we do not see any effort by Zoom to determine the age of individuals using the service, so they are likely collecting and using the personal information of children.

Vice.com is reporting that Zoom’s iOS app sends data to Facebook even if you do not have a Facebook account.

Impact

Our current assessment of the impact is as follows:

  • Data collection is based on the way each meeting participant enters the meeting.  Even if the organizer is on a paid and secure business or education edition, meeting attendees using the free client or entering as a guest are subject to dating mining and sharing.
  • For businesses and schools, some of the data Zoom collects and shares is prohibited under the Children’s Online Privacy Protection Act (COPPA).
  • For schools and libraries, not using the K12 version of Zoom for faculty and students may result in violations of the Children’s Internet Protection Act (CIPA)
  • Zoom does provide a means for users to instruct Zoom to “Do not Sell” their personal information. This help with California Consumer Privacy Act (“CCPA”) and  EU’s General Data Protection Regulation (“GDPR”) compliance.  It may not be practical to advise all meeting attendees of this option.

In short, Zoom’s privacy policy may conflict with your business’ privacy policy and how you manage and respect your customers and their data. The policy may also create regulatory and legal issues.

Recommendations

If you organization uses G Suite or Microsoft Office 365, you already have the ability to securely conduct audio and video conferencing with services that do not mine and share attendee data.

  • G Suite
    • Hangouts Meet (the new service) is secure and HIPAA compliant.  Individuals outside your organization can join via shared URL, without providing personal information. Through June 2020, Google has enabled all G Suite users to conduct meetings with up to 250 participants and provided organizers with the ability to record meetings. Participants can mute their own audio/video and can present to the meeting. Meeting include dial-in numbers and pins to allow access from phones.
    • Participants can join via web browser or use the free iOS and Adroid Apps.
    • Traditional Hangouts and Chat, while not HIPAA compliant, are still secure and work within organizations and with guests.
  • Office 365
    • Teams (and formerly Skype for Business) is a secure video/audio conferencing service with screen sharing, waiting rooms, and other helpful features.  As with all of Office 365, Teams can be deployed to meet HIPAA compliance. Teams does not collect and share personal information.
    • Teams, by default is device-to-device conferencing.  You can add the ability for individuals to connect by phone for a small monthly fee for each meeting organizer that needs this function.
    • Participants can join via web browser, or use the free apps for Windows, Mac, iOS, and Android.

Before adding another service or tool for audio/video conferencing, take full advantage of the services you have. Contact us if you need help with user training and support.

If you are not using G Suite or Office 365, several communications and conferencing services are offering secure, free access for up to 90 days.  These include, but are not limited to, Dialpad, UberConference, Ring Central, and Cisco WebEx. Please contact us for help selecting and deploying the right service for you and your teams.

 

7 replies
  1. Jane Mitchinson
    Jane Mitchinson says:

    I’m very concerned about the privacy of our students, but I’m a little confused about this post and would like more information on how to protect student privacy rather than being told, “run away! Don’t use it!”.

    It’s my understanding that students do not create an account in Zoom. The teacher/instructor creates only their own account so whatever data mining is done of the participants joining through a link would be anonymized. The privacy concern over profile information is more of a teacher privacy concern. They should be instructed not to use a Facebook login or share details about their job.

    Please clarify if I’m missing anything. I really am concerned about privacy, but I sometimes wonder if there’s an educational piece missing around proper use that we need to consider instead of just screaming “run away, run away!”

    The school board I work for uses Google Meet which is a fantastic tool. I believe Google is actually one of your partners as indicated on your About page.

    Reply
    • Allen Falcon
      Allen Falcon says:

      This privacy risk is dependent on how each individual user accesses the meeting. If the students log into Zoom using an identity provided by the school, which has purchased the K-12 / Education edition, then students are protected. If the students connect to the meeting using a free login or an account not tied to the school, then their data is open to mining. Even for schools and students, privacy comes as a price. If you have not paid for the student account, it is not private.

      So, our advice is to use other solutions if you can. Schools running G Suite for Education or MS Office 365 have tools like Hangouts Meet and Teams, respectively, built in that offer video meetings with screen sharing and chat features.

      We have updated the blog post with a link to a NY Times story indicating that the New York Attorney General has opened an investigation. There is also a related FBI warning with respect to keeping unwanted guests out of Zoom meetings.

      It really bothers me that Zoom changed their privacy policy and practices AFTER a major marketing effort offering the service for “free”. Relatively few people read privacy policies; even fewer track changes.

      Yes, we are a Google partner. G Suite for Education is a free service for K-12 and Higher Education.

      Thanks for your feedback!
      Allen Falcon, CEO

      Reply
  2. Jane Mitchinson
    Jane Mitchinson says:

    Thanks Allen. I appreciate yor response. So, no risk to students not using an account as there are not identifiers and they are just joining a stream. But if a teacher creates an account, they shouldn’t use the Facebook login as they are essentially agreeing to 3rd party data mining. I believe Zoom asks for information on their jobs as well. They should just leave that blank.

    Reply
    • Allen Falcon
      Allen Falcon says:

      Jane,

      We have updated the post. The only time data is NOT mined is when all participants are using a paid login account under the K-12 license. Any other access to the service — personal, free, or paid — is subject to mining. When students click on a shared link, a free client is running. Data is being mined (name, email address, location, software running on the computer, … ). Schools should be using Hangouts Meet or Teams, as available in their G Suite or Office 365 accounts, or should be using a paid, secure platform.

      For personal use, we see Google Duo as a viable alternative. The privacy policy does not allow sharing of personal information. This mirrors Google’s policies for YouTube and other services.

      — Allen

      Reply

Trackbacks & Pingbacks

  1. […] Zoom Privacy Policy is a Risk (Cumulus Global, March 24) […]

  2. […] Zoom Privacy Policy is a Risk (Cumulus Global, March 24) […]

  3. […] Zoom Privacy Policy is a Risk (Cumulus Global, March 24) […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.