Zoom's iOS app is sending off analytics data to Facebook without warning, even if users don't have a Facebook account.
The video conferencing app's popularity has exploded during the COVID-19 outbreak, becoming essentially an industry standard for video conferences and remote work meetings.
Upon being downloaded and installed, Zoom connects to the Facebook Graph API, a practice that is not entirely uncommon since many app makers use Facebook software development kits (SDKs) to implement features into their software.
Among other things, Zoom notifies Facebook when the iOS app is opened, what device a user is using, what carrier they're on, and what city and time zone they're connecting from. The data also includes a unique advertiser tag, connected to a user's device, that companies use to target advertisements.
Facebook's terms actually require app makers to give their users "robust and sufficiently prominent notice" of data sharing practices. One section even indicates that apps need to specify Facebook by name.
Back in February, the Electronic Frontier Foundation (EFF) found that the Ring for Android app was sending a similar batch of data to analytics companies. While Ring eventually paused those data sharing practices, it hasn't been confirmed whether the company's iOS app did the same thing.
This isn't the first time that Zoom has had a privacy or security blunder. In 2019, a security researcher discovered a zero-day flaw that left users vulnerable to webcam hijacking without their knowledge.
The EFF also detailed some of the other privacy implications of Zoom, including the fact that call hosts can basically monitor the activities of call participants.