Zoom, a video-conferencing app that recently shot to fame and garnered massive usage during the ongoing health crises, was secretly sending user data to Facebook. The concerning discovery was made after the Zoom iOS App was analyzed. A redundant SDK was apparently still active inside the app that was sending a large amount of data to Facebook.
Zoom has issued an emergency update for its iOS app after it was discovered that the platform was sending data about users to Facebook. Shockingly, the data was sent irrespective of the users having a Facebook account or not. It is not immediately clear if Zoom had sought and received explicit permissions from its users before sending data to Facebook, but it is apparent that the platform might have secured a broad and comprehensive ‘Terms and Conditions’ agreement that included the provision.
Popular Video-Conferencing Platform Zoom Issues Update To Remove Code Sending Data To Facebook:
Zoom shot to popularity after several countries issued lock-down orders for their citizens mandating work-from-home. Among other remote productivity and collaboration platforms, Zoom, a lesser-known service, rose in popularity as usage increased exponentially. Zoom’s iOS and Android apps have been widely appreciated for their speed, clarity and other features.
— Beau Parry (@BeauRParry) March 28, 2020
Despite the advantages, the app is a concern because it was apparently sending user data and information to Facebook. According to the analysis report, conducted by Motherboard, the Zoom iOS app was sending information such as when a user opened the app, their time-zone, city, and device details, to the social network giant. When the news about the potential user privacy surfaced, Zoom was quick to issue a statement that read:
“Zoom takes its users’ privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data.”
New: Zoom pushes an update after we found the iOS app sending data to Facebook. They've now removed the code that was sending the data https://t.co/enXXVwpdQo
— Joseph Cox (@josephfcox) March 27, 2020
SDK or Software Development Kit is a collection of precompiled code that developers often use to help implement certain features into their own apps. The use of an SDK can also have the effect of sending certain data off to third-parties. Facebook’s ‘Like’ button and ‘Comments’ section on third-party websites is an excellent example of such code that sends back information to Facebook.
What User Data Was Zoom Sending To Facebook?
It is clear that a redundant SDK was sending user data to Facebook. However, the data was being anonymized, noted Zoom in its statement which read,
“The data collected by the Facebook SDK did not include any personal user information, but rather included data about users’ devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.”
Whether you have Zoom account OR NOT… We may gather the following categories of Personal Data about you:
– Name, address, email, phone, etc
– Job, title, employer
– Credit card
– Facebook profile (when you use Facebook login)https://t.co/Wq0ECsLRGK https://t.co/YdTCNneO7F
— Max, the Cookie Monster (@pccookiemonster) March 28, 2020
After the news about the Facebook data collection spread, Zoom quickly issued an update to the iOS app. Independent analysis of the app has confirmed that there’s no code that triggers data transmission to Facebook upon opening the app. Zoom noted the same in its statement:
“We will be removing the Facebook SDK and reconfiguring the feature so that users will still be able to login with Facebook via their browser. Users will need to update to the latest version of our application once it becomes available in order for these changes to take hold, and we encourage them to do so. We sincerely apologize for this oversight, and remain firmly committed to the protection of our users’ data.”
The statement clearly implies that Zoom isn’t concerned about any legal repercussions, and is confidently terming the incident as an ‘oversight’. However, this incident proves that Facebook’s reach and the ability to sniff out user data, anonymized or not, is quite expansive.