Zoom and the data protection quagmire, by Alexia Pato

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com.

Zoom Video Communications

Founded in 2011, Zoom is an American cloud-based video communications company located in San Jose (California). The popularity of its video conferencing services has exploded since the outbreak of the Covid-19 pandemic: in a recent blogpost, Zoom’s CEO noted: “as of the end of December [2019], the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March [2020], we reached more than 200 million daily meeting participants, both free and paid”. Under Zoom’s freemium model, customers may use the company’s platform for free but are charged for upgrades. Nothing uncommon so far. So, what makes Zoom so popular? There are certainly several reasons explaining Zoom’s sudden success. Three factors are worth mentioning: Zoom is easy to use, it provides high-quality products and is customer-driven.

Today, not only companies, but schools, individuals and governments contract Zoom’s services. However, recent security concerns have called the company’s reliability into question.

Security Flaws

First designed for corporate use, Zoom was hit by the backlash of its popularity, as the number of users dramatically increased. The next paragraphs shed light on several security issues that took place within the last months (a detailed list of those issues is available on cnet and tom’s guide).

Sharing of Data with Third Parties

On 26 March 2020, Motherboard revealed that Zoom had shared users’ data with Facebook without their consent, even if those users did not have any Facebook account. At the time, the iOS version of Zoom offered the possibility for customers to log in by using their Facebook username and password through a software called SDK (Software Development Kit), which allowed the social media company to collect data. In particular, Motherboard found out that Zoom notified Facebook when the users opened the app and released information, such as the model of the device they used, the time zone and the city from where they connected, the phone carrier and the identifier allowing companies to offer tailored advertisements to users (advertiser ID).

The New York Times has recently revealed that Zoom shared data with LinkedIn too. When a user would enter a meeting on Zoom, that user could access other participants’ LinkedIn data (without their consent) by clicking on an icon. Zoom sent participants’ real names and email addresses to LinkedIn, which matched those participants with their LinkedIn profiles. This feature was available to Zoom users who had previously subscribed to a LinkedIn service called LinkedIn Sales Navigator, a sales management tool that helps representatives to extend their network and conclude more deals.

End-to-end Encryption

On 31 March 2020, The Intercept reported that Zoom did not support end-to-end encryption, despite the statements of the company both on its website and in its white paper on security. As a result, even though your meetings on Zoom would be protected from anyone trying to access them, the company could technically spy on your private conversations.

Zoombombing

« Zoombombing » is the hijack of meetings by intruders who use the screen-sharing feature in order to post racist or homophobic messages, as well as pornographic images or videos. Several schools, companies and governments have stopped using the platform after their video conferencing was disrupted by hijackers. This happened to such an extent that Singapore has recently suspended the use of video conferencing by teachers after obscene images interrupted a geography lesson.

Zoom’s Fixes

Since then, Zoom’s application was updated and users need to download its new version in order to prevent the transfer of data to third parties. Additionally, on 29 March 2020, Zoom changed its policies on privacy, where one can read that the company “do[es] not sell your personal data” anymore. Finally, the company turned its priorities upside down by freezing updates, so that it could dedicate all its resources to fix security issues in 90 days. Although that timeframe might seem relatively long, it looks like Zoom is carrying out a profound reassessment of privacy-related questions: the 90 days plan includes reviews with third-party experts to make sure that data protection standards are complied with, as well as the release of a transparency report (to be issued later this year).

In all cases, the harm is done and legal proceedings are on their way in the United States.

Legal Responses in the United States

The next paragraphs comment on private actions against Zoom for the violation of the California Consumer Privacy Act (CCPA), which is the key law on data protection in California. Because of space constraints, administrative investigations carried out by US public authorities and foreign governments are left outside the scope of the present post.

California Consumer Privacy Act

The CCPA, which entered into force in January 2020, applies to businesses collecting consumers’ personal information. It is often said that the Act shares many similarities with the European General Regulation on Data Protection (GDPR), as it provides a high level of data protection. Nevertheless, that piece of legislation is modelled on the American legal regime on privacy, where respect of the First Amendment dominates. Contrary to the GDPR, the CCPA establishes that, in principle, personal information – referred to as personal data in Europe – can be processed. Some restrictions apply, e.g. when personal information is disclosed or sold to a third party, as is explained below. For more information on the scope of application of the CCPA, compared to the GDPR, see my comparative table.

Class Actions

Zoom’s unauthorized transfer of data to Facebook gave rise to at least four class actions (Robert Cullen v. Zoom Video Communications, Inc.; Samuel Taylor v. Zoom Video Communications; Todd Hurvitz v. Zoom Video Communications, Inc., Facebook and LinkedIn Corporation; Buxbaum v. Zoom Communications, Inc.). One of those actions targets LinkedIn as well. The right to sue is based on § 1798.150(a) CCPA, which establishes that the unauthorized access and exfiltration, theft, or disclosure of personal information as a result of the business’ violation of the duty to implement security standards allocate plaintiffs a right to start a civil action.

One of the many plaintiffs’ claims is that Zoom violated various provisions of the CCPA, as the company sold personal information to Facebook without prior disclosure on its website or in its privacy policies (§ 1798.115(c) CCPA), and without offering users a right to opt out (§ 1798.120(b) CCPA). However, both the obligation to disclose and the right to opt out must be complied with by any business which “sells” data under the CCPA.

Additionally, a security class action is on its way (Drieu v. Zoom Video Communications, Inc. et al.), as a result of Zoom’s false statements and security vulnerabilities. The untimely disclosure of the security flaws mentioned above significantly impacted Zoom’s stock price. All investors who bought stock or options between 18 April 2019 and 6 April 2020 can join the class action.

Zoom’s Privacy Misconceptions

Even though Zoom has improved the security standards of its services and updated its policies, concerning misconceptions on privacy remain.

For example, Zoom argues that the data collected and shared with third parties does not include users’ personal information, but rather information about their devices. However, the company misunderstands how broad the definition of personal information under the CCPA is: any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” is personal information (§ 1798.140(o)(1) CCPA). By way of example, although the advertiser ID is a mere string of numbers, it can be linked to a personal user. Coupled with additional collected data, a precise profile of that user can be built up. Hence, Zoom did transfer personal information to Facebook.

Then, in its privacy policies, Zoom declares that third parties cannot “access personal data in exchange for payment” (emphasis added). Should one understand that some categories of personal data are disclosed to third parties for free? If that is the case, the CCPA makes clear that disclosing data or making them available “for monetary or other valuable consideration” amount to “selling”. As mentioned above, selling data triggers CCPA requirements, such as the obligation to disclose and the right to opt out. Zoom adds that third parties cannot use personal information for their own purposes, unless consent is given. Typically, that will be the case if the user downloads an app from Zoom’s Marketplace, says the company. Since users’ consent is not required under the CCPA, it seems that the purpose of this statement is to comply with the GDPR. Nevertheless, Article 7 GDPR imposes strict conditions regarding consent, and it is doubtful that downloading from Zoom’s Marketplace amounts to allowance to sell data to third parties.

Finally, Zoom contends that “[f]or purposes of GDPR and CCPA, our customer is the “Controller”, or decision maker, for the personal data, and we are the “Processor”, acting as a “service provider” for, and at the direction of, our customer”. Both pieces of legislation specify that the controller is the person who determines the purposes and means of the processing (§ 1798.140(c)(1) CCPA and Article 4(7) GDPR). And this is exactly what Zoom does: the company decides the data which is to be collected, disclosed or sold in order to provide video conferencing services. Hence, Zoom really is a controller. This qualification makes a difference under both EU and California laws: under the GDPR, controllers and processors assume different obligations and responsibilities. As for the CCPA, it only applies to controllers; processors fall outside its personal scope of application.

Conclusion

In times of pandemic, the existence of modern technological tools, such as video conferencing, have enabled us to stay connected; and we are grateful for it. Nevertheless, both the entry into force of enhanced data protection laws, such as the CCPA, as well as people’s willingness to exercise control over their personal information call for more transparency and responsibility regarding the use of data by companies. Legal proceedings in the US should clarify remaining misconceptions on privacy and make sure that new, heightened data protection standards are fully respected.

Alexia Pato is Senior Research Fellow at the University of Bonn (Germany) and co-editor of Blogdroiteuropeen.