Zoom has removed a feature in its iOS web conferencing app that was sharing analytics data with Facebook, after a report revealing the practice sparked outrage.
According to the Motherboard report last week that originally disclosed the privacy issue, the transferred information included data on when a user opened the app, a user’s time zone, device OS, device model and carrier, screen size, processor cores and disk space. Zoom’s privacy policy did not clearly outline that it was transferring the data to Facebook.
In a Friday post, Zoom that it has now removed the “Login with Facebook” software development kit (SDK) for iOS, which was the feature tied to the data sharing: “Our customers’ privacy is incredibly important to us, and therefore we decided to remove the Facebook SDK in our iOS client, and have reconfigured the feature so that users will still be able to log in with Facebook via their browser,” according to Eric Yuan, founder of Zoom.
Zoom shied away from saying that they intended to share this information, instead stating: “We were made aware on Wednesday, March 25, 2020, that the Facebook SDK was collecting device information unnecessary for us to provide our services.”
The Facebook SDK for iOS is not an uncommon feature for apps; it allows Zoom users to more easily sign into the conferencing platform using their Facebook credentials. In the past, these types of SDKs have been misused to scrape data from mobile apps.
Part of the issue for privacy advocates was the lack of transparency in Zoom’s privacy policy regarding what data was being shared, and to whom. The web conferencing platform’s policy (which has been updated as of Sunday, March 29) initially stated: “Our third-party service providers, and advertising partners (e.g., Google Ads and Google Analytics) automatically collect some information about you when you use our Products,” without giving further information about data being shared with Facebook, according to Motherboard.
Chris Hazelton, director of security solutions at Lookout, told Threatpost that Lookout researchers analyzed Zoom’s most recent iOS version (4.6.9) as of Monday morning, and confirmed they are still communicating with Facebook APIs in the current iOS version of the Zoom app. However, that doesn’t indicate that the data-sharing feature hasn’t been killed, Hazelton said, “only that the app is still communicating with Facebook.”
“Zoom did update their app with version 4.6.9, which was updated to three days ago for ‘Improvements to Facebook Login,'” Hazelton told Threatpost. “The app communicates with IPs in the US, China, India, and Germany. This is to leverage APIs from Alibaba, Box, Dropbox, Facebook, Google, Microsoft, Ringcentral, WeChat and QQ.”
In Zoom’s Friday update, Yuan stressed that information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names or notes. The full list of data that was being is as follows:
Yuan said that users need to update to the latest version of Zoom’s application, which has removed the Facebook data transfer. “We sincerely apologize for the concern this has caused, and remain firmly committed to the protection of our users’ privacy,” he said. “We are reviewing our process and protocols for implementing these features in the future to ensure this does not happen again.”
Terence Jackson, chief information security officer at Thycotic, told Threatpost that app users have to be diligent when using “log in” features.
“Zoom’s privacy policy stated that the company might collect a user’s Facebook profile information when Facebook is used to log-in, however, it didn’t mention sending data to Facebook,” he said. “This should also be a reminder for users to at least skim the privacy policy to look for how your data will be used, stored, and transmitted before signing up.”
With more employees working from home over the past few weeks due to the coronavirus pandemic, Zoom has surged in popularity. However, concerns around privacy and security of the web conferencing system have also grown.
The Electronic Frontier Foundation (EFF), for instance, recently warned of various potential privacy-invading Zoom features. For instance, the host of Zoom calls have the ability to monitor activities of attendees while screen sharing. Zoom administrators also can see detailed views on how, when and where users are using Zoom.
Last week, officials at Zoom released tips for users of their video-conferencing platform to help avoid getting “Zoom-bombed” by trolls and even more serious threat actors during online meetings.
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.
