Journalists of the publication Vice motherboard found that after the Zoom app for iOS released last week, it began to transmit data about Facebook users, even if they did not have a social network account.
Now the popularity of Zoom is growing rapidly in connection with the COVID-19 pandemic, as more and more people find themselves in isolation and are forced to work and communicate exclusively remotely. The company's shares against this background also show rapid growth.
It is worth noting that Vice Motherboard reporters have criticized Zoom before. For example, a recent publication studied video conferencing solutions on the market and noted that Zoom video calls do not have end-to-end encryption by default, and the application offers creepy features like attention tracking. Using this function, you can track the attention of the participants in the conversation, and detect when a person has been distracted from the active Zoom window for more than half a minute.
Moreover, they remembered Zoom and last year’s vulnerability. Then, when installing on macOS, the application raised a local web server with an undocumented API on the user's machine, which remained in the system even after the application itself was uninstalled and remained active. As a result, any site that the user posted could interact with the mentioned web server. This made it possible to make video calls, connect to other people's calls, and even secretly update or reinstall the application itself (without any confirmation from the victim). Also, the web server could be used for DoS attacks, for which there were enough simple pings.
But back to collecting data for Facebook. Journalists write that such data transfers are not at all uncommon, especially for Facebook. The fact is that many developers use the Facebook SDK as a means of easier implementation of functions in their products, which also allows you to send information to a social network.
So, after downloading and opening the application, Zoom connected to the Facebook Graph API, and this is the main way developers communicate with Facebook. As a result, Zoom notified Facebook when the user opened the application and transmitted information about the user's device (device model, time zone and city, information about the operator, a unique advertising identifier associated with the user's device, which companies can use to display targeted advertising).
Shortly after this publication, Zoom developers reacted to what was happening and reported that an error had occurred.
“Zoom takes the privacy of its users very seriously. Initially, we implemented the “Log in with Facebook” function using the Facebook SDK to provide our users with another convenient way to access our platform. However, we recently learned that the Facebook SDK collects unnecessary data about the device, ”company representatives told the publication.
As a result, the developers apologized and assured that they refuse to use the Facebook SDK and exclude it from the application, although users will still be able to log in via Facebook. Users were encouraged to update the app to get rid of surveillance.
However, earlier this week it became known that the removal of the spyware SDK did not save the company from legal consequences. So, Bloomberg writes that the user has filed a class action lawsuit against the company for transferring data to Facebook. The lawsuit claims that Zoom violated California data protection law by not obtaining proper consent from users to transfer data.
“Apparently, Zoom did not take any action to block the operation of previous versions of the Zoom application. Thus, if users do not update the Zoom application, they are likely to continue to unknowingly transmit unauthorized personal information to Facebook and, possibly, to other third parties. <…> Zoom could force all iOS users to upgrade to the new version of the application, but it seems that they decided not to do this, ”the lawsuit said.