Update: The app has now been updated to remove this data transfer. See below for an explanation from the company.
Data shared with Facebook includes your iPhone or iPad model, your time-zone, city, phone carrier and a unique identifier which can be used for ad-targeting …
The discovery was made by Motherboard and confirmed by iOS security researcher Will Strafach.
Upon downloading and opening the app, Zoom connects to Facebook’s Graph API, according to Motherboard’s analysis of the app’s network activity. The Graph API is the main way developers get data in or out of Facebook […]
Zoom is not forthcoming with the data collection or the transfer of it to Facebook. Zoom’s policy says the company may collect user’s “Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products),” but doesn’t explicitly mention anything about sending data to Facebook on Zoom users who don’t have a Facebook account at all.
The piece notes that it’s not uncommon for apps to use a Facebook SDK.
This sort of data transfer is not uncommon, especially for Facebook; plenty of apps use Facebook’s software development kits (SDK) as a means to implement features into their apps more easily, which also has the effect of sending information to Facebook.
What is not permitted by Facebook, however, is to do this without notifying users.
Zoom users may not be aware it is happening, nor understand that when they use one product, they may be providing data to another service altogether […]
Facebook told Motherboard it requires developers to be transparent with users about the data their apps send to Facebook. Facebook’s terms say “If you use our pixels or SDKs, you further represent and warrant that you have provided robust and sufficiently prominent notice to users regarding the Customer Data collection, sharing and usage,” and specifically for apps, “that third parties, including Facebook, may collect or receive information from your app and other apps and use that information to provide measurement services and targeted ads.”
It’s not the first time there has been a privacy issue with Zoom. A major vulnerability last year meant that websites were able to activate Mac webcams without first asking permission. And it was recently suggested that the host can monitor other apps in use, though this appears to apply only to corporately-managed machines.
Everyone working remotely:
ZOOM monitors the activity on your computer and collects data on the programs running and captures which window you have focus on.
If you manage the calls, you can monitor what programs users on the call are running as well. It's fucked up.
— Wolfgang ʬ (@Ouren) March 21, 2020
A the time of writing, the company had not commented on this issue with the Zoom iOS app.
Update: Vice now reports that the Facebook code has been removed from Zoom.
“Zoom takes its users’ privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data,” Zoom told Motherboard in a statement on Friday.
FTC: We use income earning auto affiliate links. More.