Video-conferencing app Zoom contains some shocking privacy issues
Video-conferencing app Zoom is gaining popularity as almost the whole world is social-distancing or forced to work from home. The app is available for Android and iOS and is offered for free, providing options for video conferencing, webinars and online conferences. However, its privacy policies seem to have some issues.
Vice reported that a recent analysis of the app has brought to light the fact that the Zoom iOS app was sharing data with Facebook. The interesting part is that the app sent information to the tech giant even for people that didn’t have Facebook accounts.
Previously, when you opened the app, it connected to Facebook’s application programming interface, which is usually the main method used by Facebook’s developers to get data in and out of the platform. Additionally, on the backend, Zoom was using Facebook’s software development kits (SDKs).
Facebook requires apps that use its SDKs to make sure to provide notice to their users, informing them of Facebook’s Customer Data collection, which is mainly related to personalized ads. Zoom’s privacy policy mentions that its advertising partners (the policy gives as an example Google Ads and Google Analytics) automatically collect some data, however, Facebook is not specifically mentioned in regards to data collection.
Zoom’s CEO, Eric S. Yuan, apologized in a blog post about the concern raised by the aforementioned situation. He stated that Zoom users’ privacy is extremely important to the company and that they have therefore decided to remove Facebook’s SDK from the iOS app. Additionally, he said that the information, sent to Facebook, did not include names, notes, attendees or any meeting-related information, but data about devices’ OS and some technical specifications.
Now, a new report by Motherboard draws our attention back to Zoom’s security and privacy. This time, it’s Zoom’s Company Directory feature, which allows users to have access to contacts with the same custom domain name, for example in a company environment when users share a domain. However, the company failed to realise that some custom domain names are used for personal accounts and people ended up with a lot of unknown email addresses added to their contact list.
The information leak did not concern email addresses with common domains such as gmail.com, yahoo.com or outlook.com. However, some users with non-standard domains, such as for example, xs4all.nl, dds.nl, and quicknet.nl (these are Dutch ISP domains with email services), got pooled together with people they didn’t know and were able to see their full names, email addresses, profile pictures and status. On top of that, they were able to video-call them.
A Zoom spokesperson stated that the aforementioned Dutch ISP domains are now blacklisted and will no longer appear in the Company Directory feature. Additionally, users are able to submit a request for other custom domains to be removed from Zoom’s website.
Zoom’s iOS app sent data to Facebook until recently
Vice reported that a recent analysis of the app has brought to light the fact that the Zoom iOS app was sharing data with Facebook. The interesting part is that the app sent information to the tech giant even for people that didn’t have Facebook accounts.
Facebook requires apps that use its SDKs to make sure to provide notice to their users, informing them of Facebook’s Customer Data collection, which is mainly related to personalized ads. Zoom’s privacy policy mentions that its advertising partners (the policy gives as an example Google Ads and Google Analytics) automatically collect some data, however, Facebook is not specifically mentioned in regards to data collection.
A new update fixed that issue
Zoom’s CEO, Eric S. Yuan, apologized in a blog post about the concern raised by the aforementioned situation. He stated that Zoom users’ privacy is extremely important to the company and that they have therefore decided to remove Facebook’s SDK from the iOS app. Additionally, he said that the information, sent to Facebook, did not include names, notes, attendees or any meeting-related information, but data about devices’ OS and some technical specifications.
'Company Directory' feature exposed hundreds of personal email addresses
Now, a new report by Motherboard draws our attention back to Zoom’s security and privacy. This time, it’s Zoom’s Company Directory feature, which allows users to have access to contacts with the same custom domain name, for example in a company environment when users share a domain. However, the company failed to realise that some custom domain names are used for personal accounts and people ended up with a lot of unknown email addresses added to their contact list.
@zoom_us I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional? #GDPRpic.twitter.com/bw5xZIGtSE
— Jeroen J.V Lebon (@JJVLebon) March 23, 2020
Screenshot of the leak
Zoom maintains a blacklist of domains to be excluded from the Company Directory feature
A Zoom spokesperson stated that the aforementioned Dutch ISP domains are now blacklisted and will no longer appear in the Company Directory feature. Additionally, users are able to submit a request for other custom domains to be removed from Zoom’s website.
Things that are NOT allowed: