Terms of Service (TOS) Under Scrutiny - Part XIV - Zoom the Beast
Confess your sins to the FBI?
In part 13 we looked at the RealVNC TOC or bits of it that stood out as exceptionally unreasonable. We promised we'd dig deeper and, as assured right from the start of this series, we're now embarking on a more in-depth part of the series. We're going to take a deeper look at a TOS that many people agree to without bothering to read or without really understanding what they're digitally 'signing'.
"This was a beast," the person who examined the Zoom TOS told us. "At first, Zoom ToS seem better than I thought. However, I think we must consider there are "recommended features" like generating a voiceprint. Considering Zoom's past history of security issues and misleading information about end to end encryption, trust in this product must be approached with caution."
"Having said this, I personally like Jitsi and Big Blue Button. Keep communications more private and secure."
"Here is a little breakdown of the Zoom TOS and corresponding privacy statement. Warning... it's a LONG one..."
"Seriously. I can't look at it anymore this week!"
ZOOM TERMS OF SERVICEEffective Date: August 11, 2023
13695 words
Average time to read based off 240 wpm - approximately 57 minutes
https://explore.zoom.us/en/terms/Owns service generated data
Past security issues
Past programming practices
Past censorship actions toward activists
No responsibility clause
No lawsuits clauseAt the center of past controversy about using service generated content for training and AI/ML is section 10.2.
However, since a lot of the information is in the privacy statement (a separate document), some or many users may overlook what is in the privacy statement (a 8127-word additional read).
10.2 Permitted Uses and Customer License Grant. Zoom will only access, process or use Customer Content for the following reasons (the “Permitted Uses”):(i) consistent with this Agreement and as required to perform our obligations and provide the Services;
(ii) in accordance with our Privacy Statement;
(iii) as authorized or instructed by you;
(iv) as required by Law; or (v) for legal, safety or security purposes, including enforcing our Acceptable Use Guidelines.You grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary for the Permitted Uses.
Zoom does not use any of your audio, video, chat, screen sharing, attachments or other communications-like Customer Content (such as poll results, whiteboard and reactions) to train Zoom or third-party artificial intelligence models.
Zoom, with its history of censorship and security issues (claiming end to end encryption) as well as implementing background processes on Mac running even after uninstall, have settled lawsuits for as much as 86 million dollars without admitting any wrongdoing. In the past, Zoom has censored speech by activists and activist groups which apparently led to stopping sales in China in 2020 as Zoom abides by local law and was directed to close activist accounts in China.
Zoom claims to not use Customer Content without authorization or to comply with law enforcement and laws. However, Zoom does collect "service generated data" and "owns all rights" to this.
There was some news reports in August 2023 regarding training AI with customer data.
Customer Content is content a customer creates when using Zoom.
Service Generated Data according to section 10.5: You or Your End Users' use of the Services or Software are referred to Service Generated Data. Zoom owns all rights, title, and interest in and to Service Generated Data.
Ownership in section 16.2:
Ownership of Zoom Property. Zoom, its affiliates, its licensors, and suppliers (as applicable) own and shall retain ownership of (i) all Service Generated Data (as provided in Section 10.5),This includes: - telemetry data
- product usage data
- diagnostic data10.5 Service Generated Data. Telemetry data, product usage data, diagnostic data, and similar data that Zoom collects or generates in connection with your or your End Users’ use of the Services or Software are referred to as Service Generated Data. Zoom owns all rights, title, and interest in and to Service Generated Data.
This is a longer terms of service with additional docs to also read.
The terms of service begins with a statement to please read these terms carefully. Then, the a statement to "READ THIS AGREEMENT CAREFULLY" states information about the user or agreement party not taking any court or class-action claims.
Currently, there is a bill in the United States - FAIR to prevent terms of service from restricting lawsuits.
https://www.congress.gov/bill/117th-congress/house-bill/963/text
This bill aims to protect against disputes
SEC. 2. PURPOSES.The purposes of this Act are to—
(1) prohibit predispute arbitration agreements that force arbitration of future employment, consumer, antitrust, or civil rights disputes; and
(2) prohibit agreements and practices that interfere with the right of individuals, workers, and small businesses to participate in a joint, class, or collective action related to an employment, consumer, antitrust, or civil rights dispute.
This bill passed the House already, has the purpose to prohibit agreements and practices that interfere with the rights of individuals to participate in a joint or class action. Like this TOS for example.
There is some content in the ToS restricting sharing your account, billing payments, using documentation, ownership and goes into responsibilities of users.
These responsibilities include abiding with the terms and conditions for you and your users.Zoom assumes no responsibility for violation of this Agreement.
4.2 Violations by End Users or Third Parties. Zoom assumes no responsibility or liability for violations of this Agreement by End Users or any other third party that you allow, direct, or enable to access the Services or Software. If you become aware of any violation of this Agreement in connection with use of the Services or Software by any person, you must contact Zoom at trust@zoom.us.
Zoom can investigate complaints and how the process may include issue warnings, suspension, removing content, terminating accounts or other "reasonable" actions in its sole discretion.
The ToS goes into system requirements, beta services, recordings, prohibited users, and how they use your content.
10.2 Permitted Uses and Customer License Grant. Zoom will only access, process or use Customer Content for the following reasons (the “Permitted Uses”): (i) consistent with this Agreement and as required to perform our obligations and provide the Services; (ii) in accordance with our Privacy Statement; (iii) as authorized or instructed by you; (iv) as required by Law; or (v) for legal, safety or security purposes, including enforcing our Acceptable Use Guidelines. You grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary for the Permitted Uses.Zoom does not use any of your audio, video, chat, screen sharing, attachments or other communications-like Customer Content (such as poll results, whiteboard and reactions) to train Zoom or third-party artificial intelligence models.
Section 11 covers restrictions of use by children.
Section 12 covers payments.
Section 13 covers taxes.
Section 14 covers termination and suspension
Section 15 covers agreement modification
Then next few sections cover proprietary rights, confidentiality, third party proprietary rights, APPLE iOS TERMS OF USE, medical devices, integrations, export restrictions, safe use. no warranties, indemnification, limitations on liability.
Again, the arbitration notice is in the limitations clause. "Dispute will also include termination of this Agreement". Exceptions to arbitration include claims pertaining to copyright, trademark, domain name, trade secrets and patents.
ANONYMIZED AND AGGREGATED DATA
You agree that Zoom may obtain and aggregate technical and other data about your and your End Users use of the Services and Software on a de-identified or anonymized basis (“Aggregated Anonymous Data”), and Zoom may use the Aggregated Anonymous Data in accordance with applicable Law, including to analyze, develop, improve, support, and operate the Services and Software provided to you or other unrelated customers, during and after the term of this Agreement, including to generate industry benchmarks or best practices guidance, recommendations, or similar reports.Other sections include: US STATE LAW PRIVACY ADDENDUM, U.S. FEDERAL GOVERNMENT AND OTHER GOVERNMENT USERS, POLICIES; DATA PROCESSING ADDENDUM.
In section 31, you agree to the privacy statement. This is another document with a word count of over 8000 words. So, in addition to the almost hour of reading the terms of service, an additional 33 minutes at 240 wpm bringing the total to about 1 hour and half of reading time.
31.1 Privacy Statement. You consent to and agree to our Privacy Statement, and you are on notice of and acknowledge that our collection, sharing, and processing (which may include organizing, structuring, storing, using, or disclosing) of your personal data will be subject to our Privacy Statement and, if applicable, our Global Data Processing Addendum and US State Law Privacy Addendum.Zoom Privacy Statement
Last updated: March 17, 2024
Word Count: 8127
URL: https://explore.zoom.us/en/privacy/The Privacy Statement describes the personal data they collect and/or process (which may include collecting, organizing, structuring, storing, using, or disclosing) to provide products and services offered directly by Zoom Video Communications, Inc. (“Zoom”).
The takeaway here is to always check your settings and what you agree to allow for features, enhancements, and third party integrations.
Could a user hosting a Zoom call inadvertent ally have these settings enabled?
Curious? I know I was. I went to settings.
I searched for voiceprint.
Not found. The settings for recordings was defaulted to record.
If the setting is not easily found, how can you know whether you have something set by default?
AI was NOT set by default.
There are several other features for data collection but one other takeaway would be for Zoom to clearly link to or indicate exactly where the data collections are located in the Settings. This is not required by law, but would be a good faith effort. If you find an app or system where the data collection settings are not easily found to ensure you have not enhanced features to collect and use data, we, as a community could develop a data collect guide or some simple guidance to ensure telemetry or data collection enhancements/features are disabled.
Below is a summary of data collected by Zoom and how it is used.
Account Information: Information associated with an account that licenses Zoom products and services, which may include administrator name, contact information, account ID, billing and transaction information, and account plan information.Profile and Participant Information: Information associated with the Zoom profile of a user who uses Zoom products and services under a licensed account or that is provided by an unlicensed participant joining a meeting, which may include name, display name, picture, email address, phone number, job information, stated locale, user ID, or other information provided by the user and/or their account owner.
Contact Information: Contact information added by accounts and/or their licensed end users to create contact lists on Zoom products and services, which may include contact information a user integrates from a third-party app, or provided by users to process referral invitations.
Settings: Information associated with the preferences and settings on a Zoom account or user profile, which may include audio and video settings, recording file location, screen sharing settings, and other settings and configuration information.
Registration Information: Information provided when registering for a Zoom meeting, webinar, Zoom Room, or recording, which may include name and contact information, responses to registration questions, and other registration information requested by the host.
Personal Data:
Account information - name, contact info, account ID, billing, transaction and plan info. Profile and participant - user info both licensed account and unlicensed participant joining a meeting including name, display name, picture, email address, phone number, job info, locale stated, user ID and more. Contact info - contact lists on zoom including contact info integrates from a third party app or provided to process referral invites. Settings - preference and settings on Zoom account or profile including audio and video settings, recording file location, screen sharing settings and other configurations.
Device info - Info about computers, phone or other devices used when using zoom including info about speakers, mic, camera, OS version, hard disk ID, pc name, MAC address, IP, device attributes (os version and battery level), wifi info, and other info like Bluetooth signals. The IP address is used to infer general location at a city or country.
Content and Context from Meetings, Webinars, Messaging, and Other Collaborative Features Content generated in meetings, webinars, or messages that are hosted on Zoom products and services (“Customer Content”), which may include audio, video, in-meeting messages, in-meeting and out-of-meeting whiteboards, chat messaging content, transcriptions, transcript edits and recommendations, responses to account owner / host-sponsored post-meeting or webinar feedback requests, responses to polls and Q&A, and files, as well as related context, such as invitation details, meeting or chat name, or meeting agenda.
Customer Content may contain your voice and image, depending on the account owner’s settings, what you choose to share, your settings, and what you do on Zoom products and services. As referenced below, Zoom employees do not access or use Customer Content without the authorization of the hosting account owner, or as required for legal, safety, or security reasons.
So, basically, Zoom states your content is collected but is not accessed or used without authorization of the hosting account owner or as required for legal, safety or security reasons.
Zoom does state employees do not access content unless authorized by the account owner or for legal/safety/security reasons.
Zoom employees do not access or use Customer Content including meeting, webinar, messaging, or email content (specifically, audio, video, files, in-meeting whiteboards, messaging, or email contents), or any content generated or shared as part of other collaborative features (such as out-of-meeting whiteboards), unless authorized by the account owner hosting the Zoom product or service where the Customer Content was generated, or as required for legal, safety, or security reasons. Zoom does not use any of your audio, video, chat, screen sharing, attachments or other communications-like Customer Content (such as poll results, whiteboard and reactions) to train Zoom’s or third-party artificial intelligence models.Zoom does use personal data:
- To provide products and services to account owners, users and invitees
- To customize Zoom products and recommendations for accounts
- Determine what products/services may be available in their location
- Route messages, invitations and emails
- Customer support - access audio, video, files, messages,
- Manage relationships with account owners and others - including billing, compliance with contracts, facilitation payment to third party developers for purchased in the marketplace
If you enable enhanced audio, Zoom will generate a voiceprint either from a recording you upload for that purpose or from meetings you participate in.
This data is retained but you can disable features and delete data any time in Settings. The retention time is until you delete it or up to 3 years after you last interact with Zoom.
If you enable certain video features, data does not leave your device and is not retained, cannot identify you and is only used to generate effects.
If you enable Intelligent features such as Zoom AI Customer Content is only used for the features.
If you authorize Zoom and/or 3rd party marketing, information about your visit, invitations, how and when you visit the websites and interactions are used to provide ads to you.
Additionally, Zoom uses your data for Authentication, Integrity, Security and Safety which basically, it uses your data to "prevent" violations of their terms and any illegal or harmful activity. This includes automatic scanning of content such as:
- virtual backgrounds
- profile images
- incoming emails to Zoom’s native email service from someone who is not a Zoom Email user
- files uploaded or exchanged through chat
Zoom uses your data to communicate with you about Zoom.
Legal Reasons - Zoom uses your data to comply with applicable law or respond to valid legal process.
This includes:
- law enforcement
- government agencies
- investigate or participate in civil discovery,
- litigation, or other adversarial legal proceedings,
- to protect you, Zoom, and others from fraudulent, malicious, deceptive, abusive, or unlawful activities, and
- to enforce or investigate potential violations of our Terms of Service or policies.
Information about how people and their devices interact with Zoom products and services, if authorized by account owner such as:
- when participants join and leave a meeting
- whether participants sent messages and who they message with
- performance data
- mouse movements
- clicks
- keystrokes
- actions (such as mute/unmute or video on/off), edits to transcript text
From the privacy statement:
Who Can See, Share, and Process My Personal Data When I Join Meetings and Use Other Zoom Products and Services?When you send messages or join meetings and webinars on Zoom, other people and organizations, including third parties outside the meeting, webinar, or message, may be able to see content and information that you share.
Other sections in the terms of service include marketing having the right to identify you and you grant Zoom the right to develop content around your experience. A miscellaneous section with information about successors, governing laws, language, email, interpretation, and waiver.
There is a section for DEFINITIONS of terms.
This ToS included terms of service and accompanying files. One thing to note is while a privacy statement or policy may outline a lot of data collection and uses, this privacy statement is not a terms of service. The terms of services agreement often includes additional documents you agree with. In this case, the length of these documents combined was over 20,000 words taking approximately 1.5 hours to read.
Imagine if you were invited to a half hour meeting or needed to set up a short 15 minute session and you decided to use Zoom.
Again, the default setting for AI was not enabled by default using the web interface. The instructions for voiceprint was not quick to find, for the sample I setup, audio and voiceprint was not found in system settings where Zoom documentation stated it would be so quick information to even check if a feature they use for data collection was enabled or not could not be verified.
There was also a follow-up regarding voiceprints.
"I was attempting to edit when I realized I left out the final step in finding the voiceprint section or - "allowing" certain data," the assessor told us. "AI was not enabled in the browser based Zoom. I installed Zoom on [Linux] Mint. There I found the audio setting for voiceprint. So, that not finding options was due to my using the browser interface rather than an app."
"Still, it shouldn't be so difficult to find options in one or the other when I want to make sure I am not sharing data or enabled features. AI was turned off by default. Still, good to check other settings are disabled by default too."
Many people consent to this stuff only because peers/colleagues pressure if not force them to. Is that really consent? If your boss tells you to do something illegal, must you comply? █