Vice investigation reveals Zoom for iOS sends data to Facebook
Last Thursday (March 26), Vice revealed that Zoom sends data to Facebook when you use its app on iOS. In particular, Zoom informs Facebook when you open the application, when you close it, and sends information such as the advertiser ID, your IP address, your city or your Smartphone model. And this even if you don't have a Facebook account. Another problem noted by Vice: Zoom does not inform the user of Facebook tracking in its privacy policy. In fact, Zoom does report Facebook tracking in "Collection of your Personal Data", but only to indicate that they collect your Facebook profile information if you decide to create your Zoom account with Facebook:
Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products)
On the other hand, no mention of Facebook tracking when you do not use the Facebook login to access Zoom.
The timing of Vice's investigation is excellent, Zoom is taking advantage of the boom in teleworking in the midst of a period of confinement due to the coronavirus, with a 12-fold increase in downloads and one soaring stock market valuation.
Curious to see this data leak for myself, I followed these steps on my iPhone:
- Closing different open applications
- Launch of Charles Proxy, and activation of tracking
- Launch of Zoom
- Export logs to my computer for analysis
Zoom does use Facebook, and actually sends the information reported by Vice. Please note that Facebook is the only third party to receive information from Zoom. Vice only reports problems on iOS, but using Zoom on my computer (as I imagine most professional Zoom users do), I wanted to test the tracking on Mac. So I followed the same procedure as with iOS, this time using the Mac version of Charles Proxy :
The app Zoom on Mac does not send any information to third parties, and therefore nothing to Facebook.
Zoom's reaction the day after the Vice article
Zoom won't have to wait long to apologize through its CEO for this tracking, and to delete the Facebook SDK responsible for the data leak. It is interesting to have the explanations for this tracking: the implementation of the Facebook SDK was intended to allow users to create their Zoom account and then log in via Facebook.
This feature, although invasive, is appreciated by some users because it allows them to create an account more easily. But implemented directly in the application code (the “Facebook SDK” for iOS), it allows Facebook to systematically recover your data:
- Facebook recovers your data even if you decide to create your Zoom account and log in without Facebook (via your email for example)
- Facebook also collects your data if you do not have a Facebook account (data associated with an identifier)
Also interesting is the fact that Zoom has not removed account creation via Facebook, but has transferred it to the browser. So the user wishing to create their Zoom account via Facebook will still be able to do so, but Facebook tracking is removed for other users. Eric S. Yuan indicates reviewing the implementation processes for these features so as not to repeat the error.
Anxious to verify the effective removal of Facebook tracking, I updated the application on my iPhone (note how Zoom communicates about the update, "Improvements to Facebook Login").
And in fact, Facebook tracking has disappeared:
The power of tracking surveys
Tracking is unfortunately generalized across applications, Zoom not being the worst here. Indeed, many apps use SDKs from Google, Facebook, or other marketing companies you've never heard of, often to leak much more sensitive personal data (like your name, email address, or geolocation). At the origin of this scandal?
- The permissiveness of Apple and Google on their respective App Stores, allowing any app developer to use as many third-party SDKs, and allowing those third-party SDKs to access your personal data.
- The lack of transparency and control, with application developers very rarely providing the necessary information and control over the transmission of your personal data to third parties. Here the GDPR should solve the problem, but it is still far from being applied.
It is nevertheless encouraging to see that a simple investigation by Vice made it possible to resolve the tracking problem on Zoom.