Zoom privacy risks: The video chat app could be sharing more information than you think
Zoom makes video chatting with colleagues easy, but you might be giving away more than you bargained for.
Rae HodgeFormer senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
The issues were exacerbated by Zoom's widespread adoption at the start of the pandemic, but this was just the latest chapter in the software's rocky security history. It prompted Zoom CEO Eric Yuan to respond to concerns in April 2020, freezing feature updates to address security issues over a 90-day update rollout.
Zoom saw explosive growth at the time, increasing its ranks from 2,400 to 6,100 employees from February 2020 to December 2021. By the end of Zoom's hiring boom, the software had become the first video communications client to attain Common Criteria certification, an international cybersecurity standard awarded after rigorous analysis.
Though Zoom has added these and other security features like end-to-end encryption, there are still a few things you should watch out for to keep your chats as private as possible.
Here are some of the privacy vulnerabilities in Zoom to keep an eye on.
Zoom's cloud recording feature might share meeting video with people outside the call
For paid subscribers, Zoom's cloud recording feature can either be a life-saver or a catastrophic faux pas waiting to happen. If the feature is enabled on the account, a host can record the meeting along with its text transcription and a text file of any active chats in that meeting, and save it to the cloud where it can later be accessed by other authorized users at your company, including people who may have never attended the meeting in question. Yikes.
As Mashable's Jack Morse put it, "What that suggests, but doesn't clarify, is that for non-webinar/standard meetings, your person-to-person chat messages would be later sent to your boss after a call recorded to the cloud."
Zoom does allow a narrowing of the audience here, however. Administrators can limit the recording's accessibility to only certain preapproved IP addresses, even if the recording has already been shared. Participants can also see when a meeting is being recorded.
In the spring of 2021, Zoom rolled out two privacy improvements aimed at making users more aware of whether a meeting is being recorded. During a meeting, you can now look at the bottom of your in-app chat window near the text field where -- if the meeting is being recorded -- you'll see the message "Recording On."
Zoom also introduced a digital stop sign to alert people to bigger potential privacy exposures, in the form of a pop-up notification. When entering a meeting that is being recorded or streamed live, a window will appear informing you of the meetings status and you'll first be required to consent to being recorded before you can proceed. Regardless of the account owner's settings, the notices are displayed to all guests that join a meeting or live streaming session outside the account's organization.
By now, you're used to hearing it from the privacy-minded: Don't use
to log in to other sites and software unless you want Facebook to have data on what you're doing. Fair enough. But what to do when Zoom gets caught sending some of your analytics data to Facebook -- whether or not you even have a Facebook account?
An analysis by Vice's Motherboard found the iOS version of the Zoom app doing exactly that. Courtesy of Facebook's Graph API, Zoom was telling Facebook whenever you opened the Zoom app, what phone or device you were using, and your phone carrier, location and a unique
identifier. Motherboard also reported that Zoom had updated its iOS app so the app would stop sending certain data to Facebook.
In a March 2020 blog post, Zoom addressed the issue, noting "our customers' privacy is incredibly important to us, and therefore we decided to remove the Facebook SDK in our iOS client and have reconfigured the feature so that users will still be able to log in with Facebook via their browser."
"Zoom does use certain standard advertising tools which require Personal Data (think, for example, Google Ads and Google Analytics). We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services)," the policy said at the time. "Sharing Personal Data with the third-party provider while using these tools may fall within the extremely broad definition of the 'sale' of Personal Data under certain state laws because those companies might use Personal Data for their own business purposes, as well as Zoom's purposes."
You should probably review your Zoom and device security settings with an eye toward minimizing permissions, and make sure any anti-tracking software on your device is up to date and running.
It may not help, but it can't hurt.
It's also important to keep your Zoom app up to date so your privacy is always protected with the latest security patches. Luckily, Zoom recently rolled out a new automatic update feature that makes this process a whole lot more convenient.