Zoom is being sued for sharing data with Facebook without explicit consent

On Monday, Robert Cullen of Sacramento filed a suit against Zoom for alleged contravention of California's new data privacy laws.

By DONNA RACHEL EDMUNDS
Members of the city commission to prevent the spread of coronavirus disease (COVID-19) vote during a meeting via Zoom video link in Lviv, Ukraine March 26, 2020. (photo credit: REUTERS/ROMAN BALUK)
Members of the city commission to prevent the spread of coronavirus disease (COVID-19) vote during a meeting via Zoom video link in Lviv, Ukraine March 26, 2020.
(photo credit: REUTERS/ROMAN BALUK)
The videoconferencing app Zoom is being sued by a user after it was disclosed that the application sends user information to Facebook, even if they don't have an account with the social media giant.
On Monday, Robert Cullen of Sacramento filed a suit against Zoom for alleged contravention of California's new data privacy laws, by not adequately obtaining informed consent from users regarding the data transfer, Vice.com has reported.
Zoom has enjoyed a massive surge in popularity as countries around the world go into lockdown over coronavirus, allowing businesses and friends to connect digitally from their homes. But upon downloading and opening the app, Zoom sends data to Facebook's Graph API, according to an analysis of the app's network activity by Motherboard.
The app then sends data to Facebook regarding the user, including notifying the company when the app is opened; details of what device the user is using to access the app, including city, time zone and model; which phone carrier they use; and a unique advertiser identifier, which can be used by companies to target advertising.
Will Strafach, founder of the privacy-focused app Guardian, confirmed Motherboard's findings that Zoom was sending data to Facebook.
"I think users can ultimately decide how they feel about Zoom and other apps sending beacons to Facebook, even if there is no direct evidence of sensitive data being shared in current versions," he told Motherboard in a Twitter direct message.
However, it appears that Zoom's privacy policy did not go far enough in advising users that this data transfer was taking place. Although the policy tells users that Zoom may collect the user's "Facebook profile information," it doesn't mention that it may also send data to Facebook, even for users who don't have a Facebook account. Rather, it states: "Our third-party service providers, and advertising partners (e.g., Google Ads and Google Analytics) automatically collect some information about you when you use our Products," but doesn't mention Facebook specifically.
"That's shocking. There is nothing in the privacy policy that addresses that," Pat Walshe, from Privacy Matters, told Vice, following analysis of Zoom's privacy policy.
According to the text of the lawsuit, the plaintiffs are claiming that Zoom "knew or should have known that the Zoom App security practices were inadequate to safeguard the Class members’ personal information and that the risk of unauthorized disclosure to at least Facebook was highly likely."
It continues: "Defendant [Zoom] failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information of Plaintiff and the Class members."
The case is Cullen v. Zoom Video Communications, No. 20-cv-02155, filed with the US District Court for the Northern District of California (San Jose).
In a statement released last week, the company said: "Zoom takes its users’ privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data.
"To address this, in the next few days, we will be removing the Facebook SDK and reconfiguring the feature so that users will still be able to login with Facebook via their browser. Users will need to update to the latest version of our application once it becomes available in order for these changes to take hold, and we encourage them to do so. We sincerely apologize for this oversight, and remain firmly committed to the protection of our users’ data," the statement added.
Zoom subsequently pushed an update to users which removed the code which sent the data, however, it was up to the users to download the update, meaning that data would still be sent from users who missed it.
"Zoom appears to have taken no action to block any of the prior versions of the Zoom App from operating. Thus, unless users affirmatively update their Zoom App, they likely will continue to unknowingly send unauthorized personal information to Facebook, and perhaps other third parties. Zoom could have forced all iOS users to update to the new Zoom App to continue using Zoom but appears to have chosen not to," the lawsuit reads.


Related Tags
privacy