Last update: May 2021

3 mins to read - 2020/03/30

Zoom Privacy Concerns Lead to Removal of iOS Facebook SDK

Over the past three weeks, our work and social lives have changed drastically. As countries try to clamp down on the spread of COVID-19, remote work and social distancing are the law of the land. Not surprisingly, this has resulted in a boom for mobile apps as we adapt our new lockdown lifestyles. Zoom in particular has become a household name, with the popular video conferencing app suddenly indispensable for face-to-face communication. However, a recent Motherboard analysis of Zoom’s app raised privacy concerns. Ultimately, Zoom removed the particular code that was sending unessential user data en masse to Facebook. What was the full story there?

Download our Data Security WhitePaper to read about OpenBack’s innovative approach to data privacy:

What Was Zoom’s Privacy Concern With Facebook?

In light of the recent boom in popularity of Zoom, the tech publication Motherboard performed an analysis of the app. Zoom’s privacy policy, however, was somewhat vague when it came to user data. In fact, Motherboard discovered that the iOS version of the Zoom app was sending non-essential user data to Facebook. “Non-essential” here means user data that isn’t necessary for the function of the app. This included:

  • device model
  • timezone
  • city
  • phone carrier

The iOS Zoom app also sent to Facebook an identifier unique to each device, which companies could use to target advertisements to that user. The Zoom app provided users an option to log in using their Facebook profile, for streamlined use and ease of integration. However, users without Facebook profiles still had their data sent to the social media giant. Users were not aware that Zoom was sending this information to Facebook. Nor did Zoom’s privacy policy clearly state that fact.

How Did Zoom Respond to This Information?

When Zoom were alerted to this data breach – to a company that has made headlines in the past for dodgy dealings with user data – they responded with statement to Motherboard:

“We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK. in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data…

To address this, in the next few days, we will be removing the Facebook SDK and. reconfiguring the feature so that users will still be able to login with Facebook via their browser. Users will need to update to the latest version of our application once it becomes available in order for these changes to take hold.”

To Zoom’s credit, they responded immediately and removed the offending line of code for iOS. They also apologized to their users for the oversight. And they issued a statement on their blog publicly thanking Motherboard writer Joseph Cox for bringing it to their attention. Furthermore, Motherboard have tested Zoom’s updated iOS app and confirmed that it does not share user data with Facebook.

Zoom and Data Privacy

Now that their Facebook SDK issue has been rectified, how reliable is Zoom when it comes to data privacy? In fact, they have come under fire for security breaches before. In July 2019, one security researcher analyzed Zoom’s software and found that when used on Mac computers, users’ webcams could be turned on by the host of a conference. The user could then be remotely launched into a conference call without their consent. Zoom has since then addressed this issue, but at the time it rendered users vulnerable to hackers and phishing campaigns.

However, Zoom still employs techniques that may make a data privacy aficionado queasy. Many of Zoom’s features appeal to micromanaging bosses. Zoom version 4.0 offers the ability for the host to track whether attendees are paying attention to the conference. If a Zoom window is inactive for 30 seconds, that user’s name gets flagged to the administrator. Good news, presumably, for employee productivity. Bad news for individual privacy as well as morale.

Administrators can also track user activity in real-time and rank users in terms of minutes’ worth of meetings attended. And if a user records their Zoom call, the administrator can then access those records. Administrators can also see users’ OS, IP address, location data, and information of the device used to access Zoom. Administrators also have the ability to enter any call under their account at any time, user consent notwithstanding.

OpenBack and Data Privacy

Either way, if you are working remotely, it’s likely you have access to Zoom or a similar teleconferencing app. While any app requires sacrificing some privacy for convenience, it’s best to know what you’re signing up to and where your data is being sent.

With OpenBack, all data is leveraged directly on the user’s device by default. With no need to remove data for processing, OpenBack is GDPR, HIPAA, and COPPA compliant. OpenBack commits itself to transparency and regulation compliance with regards to its treatment of data. Clients can request a copy of their personal data collected, or for that data to be deleted at any time.

For more information about OpenBack’s game-changing approach to its users’ data security, get in touch with one of our experts!

Leave a Reply

Your email address will not be published.

eighteen − 3 =


Translate »