Zoom, the enterprise video software that has surged to the top of app charts since the Covid-19 crisis made us all work from home, was said to send data to Facebook even if the user is does not have a Facebook account. Zoom says it has now corrected this. 

Motherboard reported that despite Zoom’s new-found consumer user base, “What the company and its privacy policy don't make clear is that the iOS version of the Zoom app is sending some analytics data to Facebook”.

Since these findings, Zoom appears to have updated its iOS app to make sure certain data are no longer sent to Favebook.

Like many other apps, Zoom’s iOS app for iPhone and iPad uses Facebook’s software development kits (SDKs) to easier integrate certain features. The payoff is that Facebook can harvest this data on a user by user basis even if the user does not have or is not logged into a Facebook account, something not disclosed in Zoom’s privacy policy.

According to Motherboard, this meant that the Zoom app told Facebook when you'd opened the app, sent device model information, time zone and city, phone operator and a unique advertisier identifier that in turn it could use to send you targeted ads.

"I think users can ultimately decide how they feel about Zoom and other apps sending beacons to Facebook, even if there is no direct evidence of sensitive data being shared in current versions," said Will Strafach, an iOS researcher and founder of privacy-focused iOS app Guardian.

Facebook’s SDK policy says apps that use them must notify the user of potential data sharing, something Zoom was not doing when the discovery was made.

In another Motherboard report two days after the original findings, the publication said Zoom had updated the app.

“… [W]e were recently made aware that the Facebook SDK was collecting unnecessary device data," Zoom told Motherboard. “The data collected by the Facebook SDK did not include any personal user information, but rather included data about users’ devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space”.

The statement went on to clarify: "We will be removing the Facebook SDK and reconfiguring the feature so that users will still be able to login with Facebook via their browser. Users will need to update to the latest version of our application once it becomes available in order for these changes to take hold, and we encourage them to do so. We sincerely apologize for this oversight, and remain firmly committed to the protection of our users’ data”.

It's good to see Zoom act on something it claims it wasn’t aware of, though it could be a PR move to claim innocence. It's use has sky rocketed since millions more people are working from home and want to use a video calling service on laptop and mobile.