Bastian Shah, CLS ’21
As governments ban gatherings to stop the spread of Covid-19, workplaces and universities are shifting to teleconferencing platforms to replace in-person meetings and classes. Before the pandemic, Zoom had been a go-to teleconferencing platform for companies and universities.[1] Now, many schools and businesses, including Columbia University, are meeting exclusively over Zoom. Data privacy watchdogs and digital rights groups have raised questions about Zoom’s use and handling of user data.[2] In the rush to implement social distancing while maintaining business and learning, one may question whether decisionmakers adequately considered security and privacy when choosing a teleconferencing platforms. This post summarizes what we know and don’t know about Zoom’s 1) collection, 2) sale, and 3) disclosure to law enforcement of user data.
Zoom’s Data Collection
The Electronic Frontier Foundation (EFF), an impact litigation organization advocating online free speech, has raised concerns about how much data Zoom collects from users.[3] Like most paid online services, Zoom collects payment information, names, physical locations, and device information from its users.[4] In addition, Zoom allows administrators, like employers and school officials, to record meeting sessions and track users’ computer usage while Zoom is open.[5] It is these employer surveillance measures to which EFF primarily objects.[6] As a result of social distancing policies, employers are surveilling workers in their own homes, raising additional privacy concerns.
Sale of User Data
Zoom’s “Privacy Policy” is ambivalent about whether it sells user data. It does not “allow marketing companies, advertisers, or anyone else to access Personal Data in exchange for payment.”[7] Zoom, in its “humble opinion,” does not “think most of [its] users would see [it] as selling their information.”[8] However, Zoom does share data with third parties, like Google Ads, that advertise on Zoom,[9] and those third parties may use that data for their general advertising business. Despite its “humble opinion,” Zoom’s distribution of user data to third parties for advertising purposes “may be considered a ‘sale’ … under the California Consumer Privacy Act.”[10] Zoom users in California can, therefore, opt-out of the sale of their data to third parties. Students and employees from other states required to use Zoom must either acquiesce to the sale of their data to third parties or discontinue schooling or employment.
Sharing Data with Law Enforcement.
Access Now, a watchdog group that advocates for digital privacy and civil rights, has sent an open letter to Zoom.[11] The letter requests Zoom issue reports on what “safeguards against government abuses” it has in place and “the number of government requests for user data” it receives.[12] Many large tech companies, including Microsoft, which operates Skype; Google, which operates Hangouts; and Facebook, which operates WhatsApp, publicly report data on government requests for user information and policies for data breaches.[13] Zoom does not currently issue such a report. Zoom discloses no information on how many law enforcement demands it receives, nor whether it notifies customers whose information has been requested by law enforcement. Zoom’s privacy policy states that the company will respond “to a legally binding demand for information” but gives no detail on how, or if, it protects against government overreach.[14] Fear of government overreach is compounded by the existence of “Zoom for Government,” a Zoom service for government agencies accredited and used by the Department of Homeland Security.[15] Vulnerable populations, such as undocumented immigrants, may feel less safe working or learning from home with the knowledge that Zoom may, without notice, disclose their location and demographic data to law enforcement.
Teleconferencing platforms like Zoom are allowing important economic and educational activities to continue despite the Covid-19 pandemic. However, those advocating for legal protections for digital privacy have questioned whether Zoom is unambiguously positive for students and employees. Without nationwide legislation addressing online privacy and security rights, states and watchdog groups are left on their own in addressing the digital side of the current crisis.
[1] See Laurie Clarke, Zoom Urged to Be Transparent About Government Data Requests, New Statesman (Mar. 19, 2020), https://tech.newstatesman.com/security/zoom-government-data-requests (“Even before the coronavirus outbreak, Zoom was reportedly used by over 60 per cent of Fortune 500 companies and over 96 per cent of the top 200 universities in the US.”)
[2] See Isedua Oribhador, et al., Open Letter: Zoom’s Policies Affecting Digital Rights, Access Now (Mar. 18, 2020), https://www.accessnow.org/cms/assets/uploads/2020/03/Letter-to-Zoom-.pdf; Lindsay Oliver, What You Should Know About Online Tools During the Covid-19 Crisis, Electronic Frontier Foundation (Mar. 19, 2020), https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-online-tools-during-covid-19-crisis;
[3] See Oliver, supra note 2.
[4] Zoom Privacy Policy, Zoom (Mar. 18, 2020), https://zoom.us/privacy.
[5] Attendee Attention Tracking, Zoom (last visited Mar. 29, 2020), https://support.zoom.us/hc/en-us/articles/115000538083-Attendee-attention-tracking (detailing how to ensure employees keep the Zoom app “in focus” on their screens during meetings).
[6] See Oliver, supra note 2.
[7] Zoom Privacy Policy, supra note 4.
[8] See id.
[9] See id.
[10] Id. (California Consumer Privacy Act information only appears as a pop-up when viewing the website on a computer located in California or using a private browser session) (on file with Colum. J.L.. & Soc. Probs.). See also, Cal. Civ. Code § 1798.140(t)(1) (Deering 2020) (“‘[S]ale’ … means … making available … a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”).
[11] See Oribhador, supra note 2.
[12] Id.
[13] See Transparency Reporting Index, Access Now (last visited Mar. 22, 2020), https://www.accessnow.org/transparency-reporting-index/.
[14] See Zoom Privacy Policy, supra note 4.
[15] See Priscilla Barolo, Zoom Achieves FedRAMP Moderate Authorization, Zoom (May 7, 2019), https://blog.zoom.us/wordpress/2019/05/07/zoom-achieves-fedramp-moderate-authorization/ (Announcing Zoom for Government’s sponsorship by the United States Department of Homeland Security); Who’s Behind Ice: The Tech and Data Companies Fueling Deportations, National Immigration Project at 6, 24 (last visited Mar. 29, 2020), https://www.nationalimmigrationproject.org/PDFs/community/2018_23Oct_whos-behind-ice.pdf (noting that “Zoom for Government” is used by the Department of Homeland Security, possibly for Customs and Border Protection).