Zoom Removes Code That Sends Data to Facebook

An anonymous reader quotes Motherboard: On Friday video-conferencing software Zoom issued an update to its iOS app which stops it sending certain pieces of data to Facebook. The move comes after a Motherboard analysis of the app found it sent information such as when a user opened the app, their timezone, city, and device details to the social network giant.

When Motherboard analyzed the app, Zoom's privacy policy did not make the data transfer to Facebook clear.

"Zoom takes its users' privacy extremely seriously. We originally implemented the 'Login with Facebook' feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data," Zoom told Motherboard in a statement on Friday....

"We sincerely apologize for this oversight, and remain firmly committed to the protection of our users' data," Zoom's statement concluded.

Zoom is an unethical company

[Anonymous Coward]

"However, we were recently made aware that the Facebook SDK was collecting unnecessary device data"

Yeah, bullshit. They knew all along and thought nobody would notice. They only removed it because they got caught.

Not bullshit, look at motive

[SuperKendall]

Yeah, bullshit. They knew all along and thought nobody would notice.

How would they know? You drop in a library like FaceBook Login, you cannot review the whole thing - it's massive. I'm an iOS developer and I didn't realize adding Facebook Login would be sending analytics back to Facebook (luckily I've not added that to any app I work on...)

But beyond that, what is even the benefit to Facebook here? There is none. The data collected purely benefits Facebook, not Zoom, so why would Zoom even want this to happen if they knew? It makes no sense.

It's just another reminder

[93 Escort Wagon]

If you need a reminder, anyway - Facebook is evil. I guess we should be glad they're not good at hiding it, at least.

Re:Not bullshit, look at motive

[fuzzyf]

How could they know? Are you serious?
The simplest of application mapping would reveal this clear as day.
It's also very much expected behaviour if you have any clue about Facebook... or the internet in general these days

What is the benefit for Facebook to collect all Zoom users device information and usage statistics? Again... are you serious?

If Zoom can't be bothered to look into how their own application is communicating, how secure do you think it can be?
How serous can they really be on privacy?

Please stop being a naive developer. Use a web proxy and get a clue how your own application actually works. The world needs competence, not ignorance and assumptions.

Re:

[Malays2 bowman]

"How would they know? You drop in a library like FaceBook Login"

Ignorance is no excuae. If you "drop in unknown libraries" (a very foolish thing to do) in your code, you are still on the hook.

It's like blindly firing a gun out your window in the middle of the night. You are still responsible if a bullet hits someone.

Re:

[mspohr]

Why are you adding a Facebook library to your project?
You're just asking for trouble. You should know that they will steal all your data.

Re:

[mobby_6kl]

But beyond that, what is even the benefit to Facebook here? There is none. The data collected purely benefits Facebook, not Zoom, so why would Zoom even want this to happen if they knew? It makes no sense.

Why would Zoom want it? They're getting kickbacks from Facebook for funneling their users' data to them.

Re:Not bullshit, look at motive

[edi_guy]

I get it, dealing with the Facebook SDK devil in retrospect seems lazy. But the reality of sw development as I've experienced it is a lot of just getting the job done. One person was tasked with offering a FB login, they did that and moved to the next project. And yeah, there's probably a low priority task at Zoom for someone to have reviewed this or whatever. Maybe there should have been a 'cross functional' meeting on external libraries, privacy, balh blah blah. Maybe they should hire a Chief Privacy Officer (ugh)

However I'm going to give credit to Zoom for pulling the plug on this quickly when it was announced. they made a mistake, explained what happened, owned up to it. That's how it should go, There has to be some capacity in the world for allowing mistakes to happen and 'forgiving' Especially considering since nowadays a lot of folks are using this service for free. I mean to use a pretty sophisticated video platform and pay nothing and then complain about their QC. Sounds like that Jack Nicholson line, "...and then questions the manner in which I provide it!" from "A Few Good Men"

Re:

[phantomfive]

I get it, dealing with the Facebook SDK devil in retrospect seems lazy. But the reality of sw development as I've experienced it is a lot of just getting the job done. One person was tasked with offering a FB login, they did that and moved to the next project. And yeah, there's probably a low priority task at Zoom for someone to have reviewed this or whatever. Maybe there should have been a 'cross functional' meeting on external libraries, privacy, balh blah blah.

rotfl I guarantee the code you write is full of security holes.

This is the attitude folks: this is how security holes happen.

Re: Not bullshit, look at motive

[Kitkoan]

Here is a better question, how do you add 3rd party extensions to your app and not bother to understand what it does?

Re:

[omfglearntoplay]

How would anybody know? It seems to me if you use anything Facebook, it's going to be sending info to Facebook.

Re:

[dieguiariel]

Its all on his policy, https://www.facebook.com/legal... [facebook.com], on the docs from the SDK https://developers.facebook.co... [facebook.com], they can't say "we didn't know". Maybe the correct statement was "We didn't know that you could catch us doing this"

Re:

[AxisOfPleasure]

They added the "Login with FB" link 'co s everyone else has, some lazy developer didn't bother to check with networks team to see what traffic the got posted back to base.

How stupid to do you have to be to include that FB login link on you site and not expect Facebook to get something out of it for themselves?!

Re:

[gosso920]

"We will instead send the data to Google, who will sell it to Facebook. We'll split the proceeds," he added.

What about

[markdavis]

>"We originally implemented the 'Login with Facebook' feature using the Facebook SDK" "Zoom issued an update to its iOS app"

And what about the 80+% of people who are using Android? Are you using the same SDK on that, too? Does it have the same issue? And if so, why hasn't that been addressed?

FB as identity provider, just say no.

[JaredOfEuropa]

Any company that takes its customers' privacy seriously does not offer a "Login with FaceBook" option. Not with the FB SDK, nor with bespoke code. Any any customer should think twice about using FaceBook as their identity provider.

Re:FB as identity provider, just say no.

[Octorian]

Unfortunately, there are real benefits to minimizing the friction associated with a signup/login process. And yes, in the real world, these benefits often outweigh any downsides that come from not being sufficiently high-and-mighty about what an app does or doesn't do.

Re:

[tarks]

Huh? Isn't the whole point of a login process to _increase_ friction, i.e., to make it harder to access something?

Re:

[robot5x]

Zoom's last attempt at minimizing friction saw them circumvent OS-level security, and install a local webserver which would reinstall the app if you ever deleted it!

Link here [medium.com]

So, no, this isn't some incompetent goofball derp move, it's a very well thought-out and considered strategy to squeezing as much money out of user data as possible.

Re:

[uolamer]

You can always use your secondary bs account made for spam, gaming, etc for it.

How you know Zoom knew...

[Fringe]

Zoom has a privacy-oriented version, Zoom for Healthcare [zoom.us]. And a page about HIPPA compliance [zoom.us]. Getting a non-leaky Zoom requires a package, for a significant up-charge, much as getting AWD on some cars requires upgrading to the luxury or premium pack.

Re:

[yassa2020]

To be fair, it isn't so much an upcharge as a minimum purchase amount, and considering you get a BAA with it, it's more than fair. Try getting a BAA with AWS and see how much that costs you.

A good thing

[nospam007]

Now a few hundred thousand others must follow.

I am calling BS

[zeiche]

Zoom is taking privacy very seriously because they got caught. Did they really not know Facebook is a privacy dumpster fire?

Ok, listen..

[fuzzyf]

You just admitted that you didn't understand a documented feature of the SDK you included in your application. Someone needed to "make you aware of it".

Should customers now trust that you will prevent, detect and fix more complicated security issues in your application?

"remain firmly committed to the protection of our users" means absolutely nothing.

Btw. These are the same people who installed a web server on all client Mac computers, and just left it there if you uninstalled the Zoom client.
A Web SERVER!
ffs

Zoom needs to do a serious effort to earn trust back.

Re:

[DontBeAMoran]

All Macs already come with a web server (Apache), not running by default AFAIK. Do you mean Zoom installed another one?

Re:

[93 Escort Wagon]

All Macs already come with a web server (Apache), not running by default AFAIK. Do you mean Zoom installed another one?

Yes, actually, they installed a small Zoom-specific web server [theregister.co.uk].

And Apache is not running on Mac by default - but, as you said, it is installed. I found it mildly funny that OS X Server used to list "web server" as one of it's features, when really all it added was a GUI to the already-existing Apache.

Re:

[_merlin]

I found it mildly funny that OS X Server used to list "web server" as one of it's features, when really all it added was a GUI to the already-existing Apache.

Quite a few of Servers features were like that. The DNS/BootP server (bootpd) was present in the regular version of OS X, you just had to configure it through NetInfo Manager (or XML files after they removed NetInfo). The DNS server (BIND) was another feature present in regular OS X with just a GUI provided in Server.

Re:

[fuzzyf]

Yes. It made som noise last year.

Quote from https://nvd.nist.gov/vuln/deta... [nist.gov]:
"If the ZoomOpener daemon (aka the hidden web server) is running, but the Zoom Client is not installed or can't be opened, an attacker can remotely execute code with a maliciously crafted launch URL"

CVE-2019-13567

Re:

[DontBeAMoran]

If companies came out and said, "We don't send anything to Google, Fartbook, Twatter, MS, Amazon or anyone". They'd get a lot more users. There is a market for 'Ethical' software.

And Apple has that market.

That's why I don't have any social media account and that I only trust Microsoft with games.

Re:

[Malays2 bowman]

"Those that don't give a toss will just carry on as normal giving Zuck his usual wet dreams about all that free data heading his way."

This is what happens when the US stops producing engines, television sets. tractors, refrigerators, just about everything under the sun and being damn GOOD at it.

Now we 'manufacture' books, theories, criminal thinking classes, feel good liberal arts bullshit, mental 'remedies', and other intangible bullshit. China is already proving that they can start cutting their dependen

Spokes person clarified further.

[140Mandak262Jamuna]

We take our user privacy and user data seriously.

This data is extremely valuable and we did not realize we had been giving away this data to facebook for free. We have worked with remarkable speed to rectify this oversight. If face book wants our user data they need to pay like every one else. All our customers, we call those who pay us customers, please rest assured the data sold by facebook is getting obsolete by the minute. To the customers of facebook, please do consider buying the data directly from us, customer relation reps are standing by.

We want our users, we call those who dont pay us users, to continue to use our product extensively, and this will allow all the companies with new and exciting products and services to find you and let you know about the great things they are offering.

EU Zoom users just ask facebook to delete the data

[Alain Williams]

The GDPR article 5 says Personal data shall be processed lawfully, fairly and in a transparent manner [gdpr-info.eu] - it is clear that this was not done transparently. Read to article 7.1 the controller shall be able to demonstrate that the data subject has consented [gdpr-info.eu], well if no one knew about it then they could not have consented. So there is a serious breech here.

Users also have also the right to erasure [gdpr-info.eu].

So: let's have all Zoom users ask for the data to be erased, Zoom must pass the requests on to facebook. But I fully expect facebook to just ignore this - assuming that Zoom even bothers to pass on the requests -- time for the EU to fine another 4% of global turnover; eventually they might behave, maybe.

Re: EU Zoom users just ask facebook to delete the

[BAReFO0t]

Well Zoom is easily sued into submission.

Make sure they get an actual paper letter. From an actual lawyer.
And they will call YOU.

A friend of mind got an actual call from Facebook due to this. And not some call center drone. An actual head of something.

Re:

[bagofbeans]

...friend of mind got an actual call from Facebook due to this

More details please...

Zoom = Flappy Bird?

[BAReFO0t]

Looks to me, as if Zoom is only used ... because it is said it is used.

Like Flappy Bird, that peope only cared about because it was said that everyone cares about it for some reason.

Can somebody enlighten me, if there is any other reason to use that particular, previously unknown (to me / Slashdot?) service above others?
I can't see one.

Re:

[phantomfive]

Zoom became popular because they finally got it "right." It's easy to set up a "Zoom Room" with screens and cameras that mostly works, and it's easy for people to call in.

I shouldn't say they got it "right," but the did a better job on the user experience than any videoconferencing solution before them, in their primary use cases.

What of that is new?

[BAReFO0t]

Jitsi Meet is as easy as going to the site, entering the name of your room, and sending the link to your peers.

And Jitsi was always well-known for its next-level security. Jitsi messenger was the first one to ever implement ZRTP (not SRTP!) And did 128 people video conferencing without even blinking.
Hell, even advanced firewall bypassing and configuration provisioning for corporations were built-in. Among all the features you could ever want, if you needed them.

So: Is this a joke?
Or merely clueless iKids?

Re:

[phantomfive]

Jitsi messenger was the first one to ever implement ZRTP (not SRTP!)

Wow, you care about the wrong features bro.

Taking privacy seriously. Seriously?

[Vranitzky]

"Zoom takes its users' privacy extremely seriously" This is corporate-speak for "we don't give a shit" - everytime one of these companies get caught, they claim they take users' privacy seriously. What about doing before getting caught? Moreover, they ought to learn new sentences, we are all tired of companies "taking users' security/privacy very seriously"... Don't they ever teach anything to these PR drones?

Re:

[yassa2020]

Our thoughts and prayers are with your privacy.

I wonder,

[Grand Facade]

How much Facebook paid Zoom to include that bit of code.

It certainly was not a "favor" to the users. Someone got paid....

There are many sites that allow/want to use other sites logins. I have never used them because my conspiracy theory thinking doesn't want to give them the connections.

Privacy is an illusion anymore, but that doesn't mean you should drop your pants....

And the same company having anything to do with healthcare can never be a good thing, this is the Fox counting the Chickens.
I'm sure Zoom ha

Re:

[yassa2020]

I have to admit, I had been planning to use them for a healthcare related product, but this is making me think twice. The part that is making me think twice is that Facebook login being a spybot has been publicly known (even by non-techies) for over a decade. FFS I think there was even articles in NYT and other big newspapers way back when. If they are that incompetent, surely there are leaks elsewhere.

To your other point though, litigation is surely the purpose of BAAs. If you execute a BAA with them that

Re:

[phantomfive]

It looks like Facebook analytics. Facebook strongly encourages you to send analytic info to them, so they can better target users when you advertise on their website.

I don't know what Facebook does with the data, but if you have an ad campaign on Facebook, and you remove the analytics, then you will see your traffic from Facebook ads drop really quickly.

I'm shocked

[cowdung]

I'm shocked that when I use a Facebook Login that they would log that I logged in and capture the date, and details of what browser I used.

Who would have thought?

Next we'll find out that Facebook is storing the hash of the password I use to log in!

Not serious about privacy

[MessageDrivenBean]

If you are serious about privacy, you would not use any Facebook code. Ever.