Journalists from Vice Motherboard found that after updating the Zoom application for iOS last week, it began to transfer data about Facebook users, even if they did not have a social network account. Now, developers have removed code from the Zoom application that allows tracking users.
Now the popularity of Zoom is growing rapidly in connection with the COVID-19 pandemic, as more and more people find themselves in isolation and are forced to work and communicate exclusively remotely. The company’s shares also show rapid growth amid this background.It is worth noting that Vice Motherboard reporters have criticized Zoom before. For example, a publication recently studied video conferencing solutions on the market and noted that Zoom video calls do not have end-to-end encryption by default, and the application offers creepy features like attention tracking.
Using this feature, you can track the attention of the participants in a conversation, and detect when a person has been distracted from the active Zoom window for more than half a minute”, – said the reporters.
Moreover, they remembered that Zoom is linked to last year’s vulnerability. Then, when installing on macOS, the application raised a local web server with an undocumented API on the user’s machine, which remained in the system even after the application itself was uninstalled and remained active.
As a result, any site that the user posted could interact with the mentioned web server. This allowed making video calls, connect to other people’s calls, and even secretly update or reinstall the application itself (without any confirmation from the victim). Additionally, the web server could be used for DoS attacks, for which there were enough simple pings.
However, let’s come back to collecting data for Facebook. Journalists write that such data transfers are common, especially for Facebook. The fact is that many developers use the Facebook SDK as a mean of easier implementation of functions in their products, which also allows sending information to a social network.
Therefore, after downloading and opening the application, Zoom connected to the Facebook Graph API, and this is the main way developers communicate with Facebook. As a result, Zoom notified Facebook when the user opened the application and transmitted information about the user’s device (device model, time zone and city, information about the operator, a unique advertising identifier associated with the user’s device, which companies can use to display targeted advertising).
According to the publication, Zoom users may not be aware that this is happening at all, and it will be difficult for them to understand why, when they use one product, their data is transferred to a completely different service.
Zoom’s privacy policy states that a company may collect “user profile information on Facebook (when you use Facebook to log in to our products or to create an account for our products)”, but the document does not mention sending data to Facebook in the event if the person does not have such an account at all.
This is shocking. Zoom privacy policy doesn’t say anything like that,” – says Privacy Matters, Pat Walsh activist.
Shortly after this publication, Zoom developers reacted to what was happening and reported that an error had occurred.
Zoom takes the privacy of its users very seriously. Initially, we implemented the “Log in with Facebook” function using the Facebook SDK to provide our users with another convenient way to access our platform. However, we recently learned that the Facebook SDK collects unnecessary data about the device”, — told company representatives told the magazine.
As a result, the developers apologized and assured that they refuse to use the Facebook SDK and exclude it from the application, although users will still be able to log in via Facebook. Users were encouraged to update the app to get rid of surveillance.
However, earlier this week it became known that the removal of the spyware SDK did not save the company from legal consequences. So, Bloomberg writes that the user filed a class action lawsuit against the company for transmitting data to Facebook. The lawsuit claims that Zoom violated California data protection law by not obtaining proper consent from users to transfer data.
Apparently, Zoom did not take any action to block the operation of previous versions of the Zoom application. Thus, if users do not update the Zoom application, they are likely to continue transmit unauthorized personal information to Facebook and, possibly, to other third parties. <...> Zoom could force all iOS users to upgrade to the new version of the application, but it seems that they decided not to do this”, – says the lawsuit.
