Zoom is entangled in an AI privacy mess

The popular video conferencing platform's recent privacy and AI policy changes have exploded in the company's face. Here's what to know.
Written by Steven Vaughan-Nichols, Senior Contributing Editor
Zoom on phone and laptop
NurPhoto/Contributor/Getty Images

Does anyone read software services' terms and conditions? Lawyers do, but even their eyes have been known to glaze over. So until recently, no one had noticed that Zoom had changed its Terms of Service (ToS) in March 2023. Under its new terms, Zoom claimed the right to use your video, audio, and chat data for its artificial intelligence (AI) programs.  

Privacy? Security? What's that?

Also: We're not ready for the impact of generative AI on elections

To be exact, the new terms gave Zoom the rights to any "data, content, files, documents, or other materials (collectively, 'Customer Input') in accessing or using the Services or Software, and Zoom may provide, create, or make available to you, in its sole discretion or as part of the Services, certain derivatives, transcripts, analytics, outputs, visual displays, or data sets resulting from the Customer Input (together with Customer Input, 'Customer Content')."

What are these "Customer Content" rights? First, "Zoom may redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content." 

But wait, there's more. You also give Zoom "a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content: (i) as may be necessary for Zoom to provide the Services to you, including to support the Services; (ii) for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom's other products, services, and software."

Also: How to block OpenAI's new AI-training web crawler from ingesting your data

The reaction to all this, when the good people on the forum of Ycombinator, the technology startup accelerator, found out was, shall we say, unhappy. Or, as one commenter put it, "I, for one, do not welcome our dystopian overlords.

After all the uproar about this over the weekend, Zoom changed its Terms of Service. Now, Zoom pinky swears: "Notwithstanding the above, Zoom will not use audio, video, or chat Customer Content to train our artificial intelligence models without your consent."


Zoom's Chief Product Officer Smita Hashim explained in a blog post that the company won't actually do the things described in its ToS. True, Zoom will use some of your data for machine learning. But according to the blog post, "For AI, we do not use audio, video, or chat content for training our models without customer consent." 

But does that tacked-on clause and blog mean anything? Sean Hogle, a business and intellectual property attorney, thinks not. On Ycombinator, he wrote, "Zoom's lawyers are trying to pull a fast one with these revised Terms. The new sentence on user consent being required to train AIs applies only to 'Customer Content,' not 'Service Generated Data.'" Zoom can use this data, which is derived from your conferences and materials, without your consent.  

Also: ChatGPT Plus can mine your corporate data for powerful insights. Here's how

Hogle continued, "Therein lies the rub.'"Service Generated Data' = 'any telemetry data, product usage data, diagnostic data, and similar content or data that Zoom collects or generates in connection with your or your End Users' use of the Services." Using this data, Hogle concluded, "This 'clarification' does nothing meaningful to assuage the serious data privacy concerns posed by Zoom's use of captured user video content."

In her blog post, Hashim continued, "We will not use customer content, including education records or protected health information, to train our artificial intelligence models without your consent." Of course, those were already protected under the Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA), so that's not a big deal. The Department of Justice would have been over them for that.

Of course, to use some of Zoom's AI features, such as Zoom IQ, which offers automated meeting summaries, you must agree to let Zoom use your data. You also don't have any control over a meeting's privacy if you're just attending one and the person who called it has agreed to let Zoom look over your virtual shoulders to take its own notes.  

Few people are happy about this. As Constellation Research analyst Dion Hinchcliffe put it, "Zoom certainly touched upon a major nerve of marketplace fears when its recently updated Terms of Service granted it an essentially unlimited license to all user content (video, audio, text) that passes through its platform… The big concern is that customer IP and people's private information will get stored in such models, where it could be misused."

Also: Generative AI and the fourth why: Building trust with your customer

Larry Dignan, former ZDNET Editor in Chief and present Constellation Research Editor in Chief, added, "Yet the terms of service still grant Zoom the license regardless… Vendors should go out of their way to take the high road with customer data. Those that don't establish and maintain very high levels of trust with customers regarding their data will not enjoy the fruits of the coming AI revolution."

Allen Drennan, co-founder and principal of Cordoniq, a virtual meeting company, agreed. In an email, Drennan wrote, "When private organizations are uploading internal confidential information and intellectual property into a meeting, they are not considering the ramifications of providing their data to a third-party provider managed in a cloud they do not control. The issue is not just limited to shared screens or multi-page confidential shared documents. It is also extended to recordings of the meetings and the audio and video used within the meeting. You really must have control over both security and privacy." 

Hinchcliffe added on Twitter, or X, Zoom still takes "a 'perpetual, worldwide' license to all customer content so that you can 'review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works.' That is unreasonable and an overreach of customer content by quite a bit."

Who can argue with that? Other than Zoom, of course. 

Also: Generative AI will soon go mainstream, says 9 out 10 IT leaders

In 2021, Zoom agreed to pay $85 million in a class action suit for sharing user data with unauthorized third parties such as Facebook, Google, and LinkedIn and misrepresenting the strength of its end-to-end encryption protocols. 

In the same year, Zoom made a deal with the Federal Trade Commission (FTC), which required it to "implement a comprehensive security program, review any software updates for security flaws prior to release and ensure the updates will not hamper third-party security features." The FTC also required Zoom not to misrepresent its data collection practices.

According to John Davisson, director of litigation at the Electronic Privacy Information Center (EPIC) advocacy group, in comments to The Washington Post, this "appears to be a major violation, and it's something the FTC needs to take a close look at." Rep. Jan Schakowsky (D-Ill.), added, "Zoom has a poor track record of protecting consumers' data and living up to its promises -- as their consent order and 2021 settlement prove."

It all boils down to whether you are comfortable with sharing private information with Zoom. As useful as Zoom proved to be during the pandemic, the answer for many companies and organizations faced with this new AI privacy threat appears to be no. As Eliot Higgins, founder of Bellingcat Productions, tweeted, "We run our training workshops on Zoom, so Zoom is effectively planning to train its AI on our entire workshop content with no compensation, so bye-bye Zoom."

I'm sure they won't be the only ones bidding Zoom adieu. 

Editorial standards