Vice investigation reveals Zoom for iOS sends data to Facebook
Last Thursday (March 26), Vice revealed that Zoom sends data to Facebook when you use its iOS app. In particular, Zoom tells Facebook when you open the app and when you close it, and sends information such as the advertising identifier, your IP address, your city and your smartphone model. It does this even if you do not have a Facebook account. Another problem noted by Vice: Zoom does not inform users of this Facebook tracking in its privacy policy. Facebook is mentioned in the "Collection of your Personal Data" section, but only to say that Zoom collects your Facebook profile information if you decide to create your Zoom account with Facebook:
Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products)
There is, however, no mention of Facebook tracking when you do not use Facebook Login to access Zoom.
The timing of Vice's investigation is excellent: Zoom is benefiting from the boom in remote work during the coronavirus lockdown, with a 12-fold increase in downloads and a soaring stock market valuation.
Curious to see this data leak for myself, I followed these steps on my iPhone:
- Close the different open applications
- Launch Charles Proxy and enable tracking
- Launch Zoom
- Export the logs to my computer for analysis
Zoom does use Facebook, and it does send the information reported by Vice. Note that Facebook is the only third party receiving information from Zoom. Vice reported problems only on iOS, but since I use Zoom on my computer (as I imagine most professional Zoom users do), I also wanted to test tracking on Mac. I therefore followed the same procedure as on iOS, this time using the Mac version of Charles Proxy:
The Zoom app on Mac does not send any information to third parties, and therefore nothing to Facebook.
Zoom's reaction the day after the Vice article
Zoom did not wait long to apologize through its CEO for this tracking, and to remove the Facebook SDK responsible for the data leak. The explanation for this tracking is interesting: the Facebook SDK had been implemented so users could create a Zoom account and then log in via Facebook.
Although invasive, this feature is appreciated by some users because it makes account creation easier. But when implemented directly in the application code (the “Facebook SDK” for iOS), it allows Facebook to systematically collect your data:
- Facebook collects your data even if you decide to create your Zoom account and log in without Facebook (via your email address, for example)
- Facebook also collects your data if you do not have a Facebook account (data associated with an identifier)
It is also interesting that Zoom did not remove account creation via Facebook, but moved it to the browser. Users who want to create their Zoom account via Facebook can still do so, but Facebook tracking is removed for everyone else. Eric S. Yuan says Zoom is reviewing the implementation process for these features to avoid repeating the mistake.
Eager to verify that Facebook tracking had actually been removed, I updated the application on my iPhone (note how Zoom describes the update: "Improvements to Facebook Login").
And indeed, Facebook tracking has disappeared:
The power of tracking investigations
Tracking is unfortunately widespread across applications, and Zoom is not the worst offender here. Many apps use SDKs from Google, Facebook, or other marketing companies you have never heard of, often leaking much more sensitive personal data (such as your name, email address, or geolocation). What lies behind this scandal?
- The permissiveness of Apple and Google on their respective app stores, which allows any app developer to use numerous third-party SDKs and allows those SDKs to access your personal data.
- The lack of transparency and control: application developers very rarely provide the information and control needed over the transmission of your personal data to third parties. The GDPR should solve this problem, but it is still far from being properly applied.
It is nevertheless encouraging to see that a simple Vice investigation was enough to resolve the tracking problem in Zoom.