Getty Images

Zoom privacy: Vendor faces lawsuits over Facebook data-sharing

Two Zoom users are accusing the video conferencing company of sharing data with Facebook without permission. Zoom's privacy practices have come under increased scrutiny in recent weeks.

Two Zoom subscribers have sued the video conferencing company in sperate class-action lawsuits, accusing it of sharing user data with Facebook without permission.

The federal lawsuits, filed Monday and Tuesday, allege Zoom failed to properly disclose that its iOS app was transmitting information about users' devices to the social media giant.

Zoom released a new version of its client for Apple mobile devices on Friday to remove the connection to Facebook. However, users must install the update themselves. Before the fix, the app informed Facebook about each user's IP address, advertising ID, mobile carrier, device model, iOS version, time zone and language settings, among other data, according to the lawsuit.

Zoom said it was unaware Facebook was collecting those metrics before an investigation by the news outlet Vice brought the issue to light last week. The video conferencing company apologized to customers and said it was reviewing its protocols to avoid similar missteps in the future.

Zoom's privacy and security practices have come under increased scrutiny in recent weeks. Many new customers have begun using the video conferencing product amid the coronavirus pandemic, including universities and K-12 school systems.

The New York attorney general's office recently asked Zoom in a letter whether it had implemented any new security practices in response to the surge in traffic. The office also wanted to know how Zoom prevented hacking, The New York Times reported Tuesday.

In a statement, Zoom said it took "users' privacy, security, and trust extremely seriously" and would be happy to provide the attorney general's office with the requested information.

The letter comes amid reports that uninvited guests have been joining and disrupting Zoom meetings, a practice dubbed "Zoombombing."

The vendor has so far responded to the phenomenon by reminding users not to share publicly their meeting room codes, which are permanent. Zoom also told users they could activate optional controls, including one that lets meeting hosts approve attendees before they join.

Meanwhile, Zoom on Sunday updated its privacy policy to be more transparent about what customer data it collects and how it uses that information. In a blog post announcing the changes, Zoom emphasized that it neither sells user data nor monitors the content of meetings held on its platform.

Zoom faces potential class-action lawsuit

Robert Cullen of Sacramento, Calif., and Samuel Taylor of Florida are the plaintiffs in the two lawsuits. Both have asked the court to let them bring a class action against Zoom, so that other users whose data was shared with Facebook could benefit from any settlement. The suits accuse Zoom of violating the California Consumer Privacy Act (CCPA) and other state laws. Cullen and Taylor both filed in the federal district court for Northern California under a national law governing class actions.

Zoom's legal troubles started after it used an iOS software development kit (SDK) from Facebook to let users log in to Zoom using their Facebook account. The mobile app shared device information with Facebook even if users did not have a Facebook account, Vice reported.

Facebook's terms of use for the SDK require partners to disclose that the social media company may collect user data for "measurement services and targeted ads."

As of March 11, Zoom's privacy policy did not explicitly mention sharing data with Facebook in particular, according to a copy available through the Internet Archive's Wayback Machine. The document said Zoom and its partners, including advertisers, "collect some information about you when you use our products."

Facebook's SDKs have raised privacy concerns in the past. In February 2019, for example, The Wall Street Journal reported that some apps were sharing intimate details about their users with Facebook through an analytics tool within the SDK.

It's common for mobile SDKs to collect data on users' devices, said Alan Pelz-Sharpe, founder of research and advisory firm Deep Analysis. Such practices have become so ubiquitous that some privacy advocates are now more focused on limiting what companies can do with data than on preventing its collection.

"This isn't just Zoom. This is pretty much everybody," Pelz-Sharpe said. "This is a really awkward topic that tech doesn't want to talk about."

Zoom has faced criticism in the past

The lawsuits are not the first time Zoom has come under fire for perceived security and privacy lapses.

In July 2019, Apple removed a web server that Zoom had installed on Mac computers. A security researcher discovered that if a Mac user clicked on a malicious link, a hacker could exploit the server to connect the user to Zoom's service, potentially with the computer's video camera turned on.

Zoom designed the server as a workaround to a security feature in the Safari web browser that made users click an extra button to launch Zoom before every meeting.

In November 2019, Zoom's largest rival, Cisco, criticized its competitor for a flaw that exposed to the public internet certain online portals used by Zoom customers to manage third-party video hardware. Zoom responded to Cisco's complaints by password-protecting the portals.

Cisco and other competitors have attempted to draw contrasts with Zoom over security, said Irwin Lazar, analyst at Nemertes Research.

"Zoom having another security-related issue gives more ammo to alternative providers," he said.

Dig Deeper on Video conferencing and visual collaboration