Big Data: Does Zoom Protect Our Privacy?

By Kai Lockwood

Senior Columnist

“Arguing that you don’t care about privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

- Edward Snowden

I don’t know if you have noticed, but we live in a time of drastically increased dependence on the internet. The fixed broadband consumption per user in the United States jumped from 12.19 to 15.46 between all of January and a single week in March.  With online school, working from home, Zoom calls with extended family members, and religious gatherings online, we’re spending so much of our lives on the internet. While the internet may help us all weather this pandemic, does the internet—or, more accurately, do the power players on it—have our best interests in mind? 

Ever since Edward Snowden leaked thousands of classified National Security Agency documents in 2013, revealing the mass-harvesting of emails, texts and cell-phone calls, certain sectors of the public have had a fascination with online privacy. We saw the rise of VPNs, password vault and fears that Alexa is spying on us all. 

While we were all worried about the NSA peering through our phone cameras to watch us play mobile games, many of us turned the blind eye to data encroachment by companies like Google and Facebook. With privacy policies that track what we do, sell our data to advertising companies and allow for the prolific spread of fake news, it is easy to see Google and Facebook have bad privacy policies. Yet, we all still use them, if only because everyone does. Who among us doesn’t secretly judge anyone with an AOL email address? 

This is where I have to admit that I, too, use Google, that I have a Gmail, that I drafted this piece on Google Docs and that I don’t plan on deleting my Facebook or Gmail anytime soon. But I think we ought to know what we’re getting into and advocate for better privacy policies wherever possible. So, my question is: how much do we know about Zoom? Should we trust it?

Zoom is a publicly traded tech company,  founded in 2011 by Eric Yuan and based in San Jose, California. Zoom’s stated mission is ‘to help businesses and organizations bring their teams together in a  frictionless environment to get more done.” Only very recently, however, has Zoom been thrust into our national culture, because of the number of schools, businesses and families that have turned to the platform for video conferencing during the COVID-19 pandemic. For answers to my questions, we must look at policies against “Zoombombing,” Zoom’s privacy policy in general and how the company interacts with government agencies here and abroad.

For those of you who don’t know, “Zoombombing” is a verb now used to describe the unwanted intrusion of someone into a Zoom call. While it is not part of the definition, per se, these people are normally not part of the school or organization hosting the call, and they usually leave unsavory, hateful, derogatory or pornographic comments, videos and pictures. While I have not personally had any interactions with Zoombombers, searching the word (on Google) will bring up myriad meetings interrupted by “Zoombombers,” ranging from small family get-togethers to daily calls hosted by newspaper reporters. While the implementation of waiting rooms has been able to stop most average zoombombers, the fact that Zoom only standardized them after many users had already added waiting rooms themselves tells you that Zoom might not put privacy at the forefront of its innovation. If it did, this would never have been a problem.

So, we know that Zoom failed to deal with Zoombombers in a timely fashion. Does Zoom’s privacy policy redeem it, though? According to a statement put out by Zoom’s Chief Legal Officer, Aparna Bawa, on March 29, Zoom claims the following:

• “We do not sell your personal data. Whether you are a business or a school or an individual user, we do not sell your data.”

• “Your meetings are yours. We do not monitor them or even store them after your meeting is done unless we are requested to record and store them by the meeting host. We alert participants via both audio and video when they join meetings if the host is recording a meeting, and participants have the option to leave the meeting. “ 

• “When the meeting is recorded, it is, at the host’s choice, stored either locally on the host’s machine or in our Zoom cloud. We have robust and validated access controls to prevent unauthorized access to meeting recordings saved to the Zoom cloud.”

• “Zoom collects only the user data that is required to provide you Zoom services. This includes technical and operational support and service improvement. For example, we collect information such as a user’s IP address and OS and device details to deliver the best possible Zoom experience to you regardless of how and from where you join.” 

• “We do not use data we obtain from your use of our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You have control over your own cookie settings when visiting our marketing websites.”

• “We are particularly focused on protecting the privacy of K-12 users. Both Zoom’s Privacy Policy (attached) and Zoom’s K-12 Schools & Districts Privacy Policy are designed to reflect our compliance with the requirements of the Children’s Online Privacy Protection Act (COPPA), the Federal Education Rights and Privacy Act (FERPA), the California Consumer Privacy Act (CCPA), and other applicable laws.”

At first glance, all of these policies look great—your data isn’t being sold, data seems to only be held for the betterment of the service and all of the policies seem reasonable. But, as always, the devil is in the details. When you read past the initial statements, many of these statements become misleading. For example, exactly what data does Zoom store? Zoom stores data you used to create your account—very standard stuff, like your name, billing address, payment method and more. It also stores recordings of calls at the discretion of the host. All of that is fine and dandy. 

But Zoom, under the guise of “data our system collects from you,” collects technical information about your devices, such as your IP address, Wi-fi connection type, device identification, your approximate location and your metadata.

But what is “metadata?” That seems awfully broad. Zoom defines metadata as the duration of the meeting, your email address, names you use in meetings, join and leave times, chats status, and cell data records, if you use Zoom on your phone. Until April 2, a feature called “Attention Tracking” could also be activated by the host. With this feature, a host was notified if any member of the meeting did not have Zoom open as their main window for more than 30 seconds. Zoom did not notify participants when attention tracking occurred.

Both of Zoom’s websites, zoom.us and zoom.com, also use cookies and pixels to inform Google Analytics and Google ads. While Zoom claims that they do not sell your data, it seems their definition of “sell” is more than slightly blurry. While Zoom does not allow marketing companies or third parties to buy your data for monetary payment or use your data for their own purposes, Zoom does allow customers to use the webinar service to collect their own marketing data on other Zoom users. Zoom also uses your data for their own marketing purposes and sends your data to what they describe as “tool providers, such as Google.”

Since Zoom collects all this data, it needs a place to store it. Unless you otherwise specify to Zoom, Zoom stores your data in the U.S. and transfers that data, if you are international, to the U.S. Zoom states that, based on the circumstances, “courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your personal data.” So the United States, or any country your Zoom data is stored in, can access your information.

In conclusion, Zoom is and will always be a corporation. So is Google. So is Facebook. It is by no means the worst organization out there, but many of its privacy policies leave things to be desired. Don’t completely stop Zooming (after all, you can’t). But know what you’re getting into.