Zoom, a video conferencing app, on Friday issued an update to its iOS app to remove the SDK (software development kits) that was sending a certain section of data to Facebook.
For those unaware, Zoom recently has seen a sudden surge in popularity and usage, as people are forced to work from home amidst the coronavirus (COVID-19) pandemic.
However, Motherboard found that the Zoom app for iOS was secretly sharing data with Facebook, even when the user did not have a Facebook account.
Like other apps, Zoom uses Facebook’s SDK to implement features quickly. According to network traffic analysis carried out by Motherboard, Zoom’s iOS app connects to Facebook’s Graph API and thereafter lets the social media platform know when a user opens the app and provides information about the device, including the device name, time zone, network carrier, and a unique advertising ID that can be used to target adverts.
The Zoom Privacy Policy clearly states that the app may collect and share data relating to their users’ Facebook profile, but, shockingly, it does not mention if the same policy applies to users without a Facebook account.
“That’s shocking. There is nothing in the privacy policy that addresses that,” said Pat Walsh, a data protection activist who analysed Zoom’s Privacy Policy told Motherboard.
“I think users can ultimately decide how they feel about Zoom and other apps sending beacons to Facebook,” Will Strafach, an iOS researcher and owner of iOS VPN and privacy provider app Guardian told Motherboard.
However, he added that “there is no direct evidence of sensitive data being shared in current versions” of the Zoom app.
A Zoom spokesperson in a statement to Motherboard told that they unaware that the Facebook SDK was collecting unnecessary device data.
“Zoom takes its users’ privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data.
“The data collected by the Facebook SDK did not include any personal user information, but rather included data about users’ devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.
“We will be removing the Facebook SDK and reconfiguring the feature so that users will still be able to login with Facebook via their browser. Users will need to update to the latest version of our application once it becomes available in order for these changes to take hold, and we encourage them to do so. We sincerely apologize for this oversight, and remain firmly committed to the protection of our users’ data.”
After Zoom issued an update to its iOS app, Motherboard has since verified that the app now no longer sends data to Facebook when it is opened.
