A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles

For Americans sheltering at home during the coronavirus pandemic, the Zoom videoconferencing platform has become a lifeline, enabling millions of people to easily keep in touch with family members, friends, students, teachers and work colleagues.

But what many people may not know is that, until Thursday, a data-mining feature on Zoom allowed some participants to surreptitiously access LinkedIn profile data about other users — without Zoom asking for their permission during the meeting or even notifying them that someone else was snooping on them.

The undisclosed data mining adds to growing concerns about Zoom’s business practices at a moment when public schools, health providers, employers, fitness trainers, prime ministers and queer dance parties are embracing the platform.

An analysis by The New York Times found that when people signed in to a meeting, Zoom’s software automatically sent their names and email addresses to a company system it used to match them with their LinkedIn profiles.

The data-mining feature was available to Zoom users who subscribed to a LinkedIn service for sales prospecting, called LinkedIn Sales Navigator. Once a Zoom user enabled the feature, they could quickly and covertly access LinkedIn profile data — like locations, employer names and job titles — for people in their Zoom meetings by clicking on a LinkedIn icon next to their names.

The system did not simply automate the manual process of one user looking up the name of another participant on LinkedIn during a Zoom meeting. In tests conducted last week, The Times found that even when a reporter signed in to a Zoom meeting under pseudonyms — “Anonymous” and “I am not here” — the data-mining tool was able to instantly match him to his LinkedIn profile. In doing so, Zoom disclosed the reporter’s real name to another user, overriding his efforts to keep it private.

Reporters also found that Zoom automatically sent participants’ personal information to its data-mining tool even when no one in a meeting had activated it. This week, for instance, as high school students in Colorado signed in to a mandatory video meeting for a class, Zoom readied the full names and email addresses of at least six students — and their teacher — for possible use by its LinkedIn profile-matching tool, according to a Times analysis of the data traffic that Zoom sent to a student’s account.

The discoveries about Zoom’s data-mining feature echo what users have learned about the surveillance practices of other popular tech platforms over the last few years. The video-meeting platform that has offered a welcome window on American resiliency during the coronavirus — providing a virtual peek into colleagues’ living rooms, classmates’ kitchens and friends’ birthday celebrations — can reveal more about its users than they may realize.

“People don’t know this is happening and that’s just completely unfair and deceptive,” Josh Golin, the executive director of the Campaign for a Commercial-Free Childhood, a nonprofit group in Boston, said of the data-mining feature. He added that storing the personal details of school children for nonschool purposes, without alerting them or obtaining a parent’s permission, was particularly troubling.

Early Thursday morning, after Times reporters contacted Zoom and LinkedIn with their findings on the profile-matching feature, the companies said they would disable the service.

In a statement, Zoom said it took users’ privacy “extremely seriously” and was “removing the LinkedIn Sales Navigator to disable the feature on our platform entirely.” In a related blog post, Eric S. Yuan, the chief executive of Zoom, wrote that the company had removed the data-mining feature “after identifying unnecessary data disclosure.” He also said that Zoom would freeze all new features for the next 90 days to concentrate on data security and privacy issues.

In a separate statement, LinkedIn said it worked “to make it easy for members to understand their choices over what information they share” and would suspend the profile-matching feature on Zoom “while we investigate this further.”

The Times’s findings add to an avalanche of reports about privacy and security issues with Zoom, which has quickly emerged as the go-to business and social platform during the pandemic. Zoom’s cloud-meetings service is currently the top free app in the Apple App Store in 64 countries including the United States, France and Russia, according to Sensor Tower, a mobile app research firm.

As the videoconferencing service’s popularity has surged, however, the company has scrambled to handle software design choices and security flaws that have made users vulnerable to harassment and privacy invasions.

On Monday, for instance, the Boston office of the Federal Bureau of Investigation issued a warning saying that it had received multiple reports from Massachusetts schools about trolls hijacking Zoom meetings with displays of pornography, white supremacist imagery and threatening language — malicious attacks known as “zoombombing.”

Privacy experts said the company seemed to value ease of use and fast growth over instituting default user protections.

“It’s a combination of sloppy engineering and prioritizing growth,” said Jonathan Mayer, an assistant professor of computer science and public affairs at Princeton University. “It’s very clear that they have not prioritized privacy and security in the way they should have, which is obviously more than a little concerning.”

In response to news reports on its problems, Zoom recently announced that it had stopped using software in its iPhone app that sent users’ data to Facebook; updated its privacy policy to clarify how it handles user data; and conceded t
hat it had overstated the kind of encryption it used for video and phone meetings.

Although profiling consumers and prospecting for corporate clients are standard practices in sales and customer relations management, privacy experts criticized Zoom for making the data-mining tools available during meetings without alerting participants as they were being subjected to them.

One service, called “attention tracking,” which Zoom also said it was removing on Thursday after reporters’ inquiries, displayed an icon “next to the name of any participant who does not have Zoom in focus for more than 30 seconds,” according to the company’s site.

In 2018, Zoom introduced the LinkedIn profile-matching feature to help sales representatives better profile and target sales prospects attending Zoom meetings.

“Instantly gain insights about your meeting participants,” a Zoom video promoting the service said. “Once signed in, you’ll be able to match participants to their LinkedIn profile information and view their recent activity.”

But neither Zoom’s privacy policy nor its terms of service specifically disclosed that Zoom could covertly display meeting participants’ LinkedIn data to other users — or that it might communicate the names and email addresses of participants in private Zoom meetings to LinkedIn. In fact, user instructions on Zoom suggested just the opposite: that meeting attendees may control who sees their real names.

“Enter the meeting ID number and your display name,” one section on Zoom’s Help Center said. “If you’re signed in, change your name if you don’t want your default name to appear.”

Similarly, Zoom’s privacy policy says that “some data will be disclosed to other participants” when a person uses Zoom. For instance, it says, “if you send a chat or share content, that can be viewed by others in the chat or the meeting.” But it did not mention that Zoom could show some users’ LinkedIn data to other users or disclose data about users’ participation in private Zoom meetings to LinkedIn.

Nicole Leverich, vice president of corporate communications at LinkedIn, said that fewer than 100 people per week were actively using the feature on Zoom and that LinkedIn did not retain the data about Zoom users.

Just after 1 a.m. Eastern time on Thursday, Zoom sent an automated message to users saying it had disabled the LinkedIn profile-matching feature “due to administrative issues.”

“We will notify you when the app is re-enabled,” the message said.

Source Article