The Zoom videoconferencing application – which gained popularity with the isolation caused by the coronavirus pandemic – has been updated to remove a code provided by Facebook and which allows the integration of other services with the social network.
A complaint from the Motherboard website, confirmed by Zoom, points out that the Facebook code collected data from the smartphone unnecessarily, even when the social network's resources were not used.
- How to make video calls to multiple people at the same time
Sending data involves Facebook's Software Development Kit (SDK). Such components are created to facilitate the implementation of features, integration of services or the use of technology (such as a 3D graphics engine). The use of this type of solution is commonplace in software development.
Those responsible for an SDK should write appropriate documentation that explains how it works, while application developers have a duty to check the instructions for using it correctly and informing its users about the functionality. In the case of Facebook, the behavior of the SDK – including information collected – is available in one term for partners.
The Facebook document makes it clear that it is up to the application developer to inform users about the information collected.
"If you use our pixels or SDKs, you represent and warrant that you have provided users with adequate and notorious notice regarding the collection, sharing and use of Customer Data," says the text.
The Facebook SDK (used in applications) and the "pixel" (used on websites) are for these services to share data about their users with the Facebook platform. Facebook, in return, offers an analysis of this data so that the owner of the website or app knows its audience better.
Zoom, however, published a statement that suggests that the company was surprised by the complaint that the Facebook SDK sent information about the device's hardware, operator, configured language and time zone and advertiser ID – which serves as an identifier for advertising tracking. Data was sent whenever the app was opened, even if specific Facebook integration functions were not triggered.
Sought by the blog to confirm if the company knew about Facebook's terms, Zoom did not speak up until publication.
For Facebook users, data shared by applications using the SDK is recorded in the "activity outside Facebook" section.
Even with the removal of the SDK, the Zoom app still allows users to log in to the service through their Facebook profile. The difference is that access must be authorized by the web browser, and it is no longer possible to perform the entire procedure within the app itself.
Zoom received case and letter from attorney general
The lawsuit alleges that the company did not block old versions of the application, which could have been done to make users aware of the need to update the program and comply with Zoom's official data collection policies.
Those who use old versions of the app are still sending the information to Facebook, according to the process.
Zoom was also targeted by New York attorney general Laetitia James, who sent a letter to the company on Monday (30) questioning what measures were taken to protect new users of the platform.
"(The prosecutor's office) is concerned that Zoom's existing security practices may not be sufficient to adapt to the recent and sudden increase in both the volume and confidentiality of data transmitted over (Zoom's) network," says an excerpt from note published by the New York Times.
Service failures and attacks
Zoom users have been reporting a practice known as "zoombombing", in which strangers can guess the link that gives access to the video conference rooms, interrupting or making the call unfeasible.
In one of these episodes, Norwegian students had a remote videoconference class interrupted when a naked man managed to enter the room and transmit the image from his camera. According to the local press, the students were children and the school abandoned the platform.
According to security firm Check Point, criminals are also taking advantage of the growing interest in collaborative work and communication platforms, such as Zoom, to deliver scams. According to the company, 4% of the 1,700 sites registered with the word "Zoom" since the beginning of the year have suspicious characteristics, which indicate the possibility of scams. Digital pests distributed with "zoom" in the file name were also identified.
In July 2019, Zoom needed to modify the operation of its software on Apple computers after a security researcher identified a serious flaw in the program that left the system vulnerable to attack.
Correcting the flaw was made more difficult by the fact that the vulnerable component was not uninstalled with the application – those who no longer had the software were at risk and, theoretically, would be forced to manually download the program to correct the flaw. Apple decided to release an update for macOS that removed Zoom's vulnerable software from all computers with its system.
Zoom's share price doubled in 2020
Zoom's conference services are gaining popularity due to the pandemic of the new coronavirus, which forces personal and professional communications to take place over the internet.
Zoom's shares on the NASDAQ have increased by 28% in the last 30 days and 113% since the beginning of the year, driven by expectations of increased revenue from investors.
According to Bernstein Research, a consultancy specializing in market analysis, Zoom would have expanded its monthly user base by 2.2 million people from early 2020 to mid-February, a greater gain than in the entire year 2019.
Since several regions were quarantined after calculating this estimate, it is possible that the number of users has increased even more.
Questions about security, hackers and viruses? Send to email@example.com