Zoom became synonymous with remote work at the onset of the 2020 healthcare crisis. Its ubiquity was so widespread that from being a video conferencing tool it actually became a well-accepted verb. “I was Zooming with my boss,” “Let’s Zoom” and “We’ll Zoom this” became accepted usage, according Zoom the kind of status brands yearn for.
Yet, Zoom’s privacy policy and terms and conditions have often sparked concerns regarding cybersecurity. We, at Cyber Management Alliance, continued to use Zoom for several of our services including Cyber Tabletop Exercises, Incident Response Training and our super popular Virtual Cyber Assistant services for a few simple reasons - it’s convenient, user-friendly and until recently as secure or insecure as any other remote conferencing solution.
In March 2023, Zoom updated its terms of service entangling it in a nice little mess over privacy concerns. The entire fiasco was centred on Zoom's new AI-powered product, Zoom IQ’s features. With the new terms, Zoom claimed rights over users’ audio, video and chat data for improving its Artificial Programme.
Here’s what the new terms said: “10.4 Customer License Grant. You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivate works, and process Customer Content and to perform all acts with respect to Customer Content…”
As per the Terms page, Zoom could access your data for providing better services to you and for product development, marketing, quality assurance and for AI and ML and training to improve its services.
These terms were enough to create serious panic amongst regular Zoom users and a PR tornado for the company. After all, nobody wants their data to be used indiscriminately to supposedly train AI tools.
Responding to the backlash on every possible social platform, Zoom put out a blog clarifying how its applying the new T&C to its AI features on August 7, 2023. It updated the blog on August 11, 2023 claiming to “make it clear that Zoom does not use any of your audio, video, chat, screen sharing, attachments, or other communications like customer content (such as poll results, whiteboard, and reactions) to train Zoom’s or third-party artificial intelligence models.”
Zoom highlighted that it offers a choice to users to enable the “Meeting Summary” option which then allows its AI to send a summary of the meeting to users. However, the host of the meeting has the option of enabling or disabling summary - but the other participants don’t.
Smita Hashim, the Chief Product Officer, who supposedly wrote the blog further tried to reassure users and obviously prevent a mass exodus to Zoom’s competitors with the following words: “We remain committed to transparency, and our aim is to provide you with the tools you need to make informed decisions about your Zoom account. We value your privacy and are continuously working to enhance our services while respecting your rights and preferences.”
But regular Zoom users or ‘Zoomers’ don’t seem to be too convinced.
The simplest reason is the fact that participants in Zoom meetings don’t have a choice about whether their data is being handed over to Zoom or not. If the host, who could be their boss or a highly coveted client, chooses to accept the Meeting Summary option, a participant who needs to hold on to their job is highly unlikely to be able to drop out of the meeting citing privacy concerns.
The other reason, as many experts have pointed out, is that Zoom isn’t very great at keeping its promises when it comes to privacy. In 2020, Zoom assured paid users of end-to-end encryption but a lawsuit alleged that Zoom had already offered this to everyone. It was further embroiled in another controversy for sharing user data with Google and Facebook without consent for which it paid $85 million in settlement.
While Zoom has issued clarifications to its earlier T&C that have embroiled it in this Public Relations and Customer Trust mess, many are still not convinced. The biggest issue is that the average user is now at the mercy of meeting hosts. In case the data sharing option was previously selected, the average participant has to ensure that the host manually gets inside Zoom’s maze of sub-menus and deselect the data sharing option.
This puts the power of protecting your data in the hands of someone else - which nullifies the basic premise of data protection. Organisations and online tools should be compelled to protect your privacy unless you explicitly give consent - not the other way around.
At Cyber Management Alliance, we are obviously amongst the staunchest proponents of Data Privacy and Personal Information protection. We wrote to Zoom with our concerns and here’s the reply we received (many of you may have received the same): “Regarding our new generative AI features - The admin or account owner would need to explicitly turn them on—they are not just turned on without that admin control. In addition to turning the gen AI features on, the admin or account owner would also need to turn on data sharing in order for their data to be used to improve the AI products; if they don’t turn on data sharing, the data will still not be shared. You can certainly continue to use the product “as is” without turning the generative AI products. Participants are given notice in the Zoom user interface when Gen AI features are turned on. The data is not collected without notification.”
Given the above response and the recent clarifications, many of us may continue using Zoom for the same reasons we did earlier.
However, the organisation will have to go the extra mile to win customer trust again - as it has already managed to rub many off the wrong way. Commitment to privacy and data security must be prominent amongst online businesses today and a blatant disregard and stealthy changing of terms overnight is something that will not easily be forgotten or forgiven.
You could choose to opt for services that don’t have a mired history yet such as MS Teams, Google Meet, Signal and many more. Or you could make sure that when using Zoom your host turns the data sharing option off. For now, those seem to be the best options.
But one things businesses and individuals will now definitely need to do is to keep a constant vigil on Zoom's Terms of Service to ensure data safety as well as overall organisational cybersecurity compliance.