As more employers and educators scramble to take their day-to-day lives online due to the spread of the coronavirus, privacy concerns surrounding Zoom Video Communications Inc.’s data collection and storage policies are receiving renewed attention from privacy advocates and experts — especially as educators contend with how to comply with standing student privacy laws and employees deal with a lack of data privacy protections.
At Michigan State University, where classes are going virtual through the end of the semester, academics have started circulating a resource guide filled with alternatives to the popular video conferencing tool, which could put their students’ privacy at risk and threatens to overload the system with hundreds of students tuning in at once. Among the suggestions include Microsoft Corp.’s Teams, Google products that are compliant with student privacy laws and Discord, a chat app popular with gamers.
Christina Boyles, an assistant professor at the university focused on digital technology and humanities, said she doesn’t plan to use any live video conferencing tools — including Zoom, for which her school has a subscription — for a variety of reasons, but a main one being privacy concerns. Instead, she’s opting for tools such as hypothes.is, an annotation discussion tool, and other instructional videos that don’t rely on the students being online at the same time.
The main priority has been getting classes to work virtually, Boyles said, “and so sometimes these privacy concerns don’t make it to the forefront.”
In the past year, Zoom in particular has attracted scrutiny for its wide-reaching privacy policies. A security flaw that enabled bad actors to force random Mac users into a video call — which still functioned after a user deleted the app — prompted a formal complaint from the Electronic Privacy Information Center to the Federal Trade Commission in July claiming unfair and deceptive practices.
Boyles said she’s concerned about having conversations with students about personal matters, including livelihood and mental health, through online platforms that may not be compliant with the federal standard.
“Some of the alarming things are that there’s a broad variety of information they collect,” Boyles said, which can include “any other information you upload, provide or create while using that service.”
Farshad Hashmatulla, a Zoom spokesman, said in a statement that the company takes its users’ privacy “incredibly seriously” and that the service only collects data about users to “the extent it is absolutely necessary” for technical and operational support. Hashmatulla also said the company does not “sell user data to anyone” and that the platform is compliant with the Family Educational Rights and Privacy Act.
Christine Bannan, EPIC’s consumer protection counsel, warns that in the scramble to get schools online, educators might be accidentally opening themselves up to potential violations of two federal laws: FERPA, which protects students’ education records, and the Children’s Online Privacy Protection Act, which lays out privacy protections for website operators to follow when encountering users under the age of 13.
“The transition to remote classes is a last-minute scramble for a lot of schools, and I don’t think that privacy has been high on the list of concerns during this pandemic,” she said.
As for regular employees, Michelle Richardson, director of the data and privacy project at the Center for Democracy and Technology, points out that there is no existing federal privacy law that could influence the way video conferencing tools collect information about them, such as through features like Zoom’s attention-tracking capability.
“That’s kind of intrusive in a way that often doesn’t happen in the physical space or in the physical world,” she said. “Employers have always had incredible control over how employees spend their time, but the technology makes it faster, more invisible and more sophisticated.”