Zoom Video Communications, Inc. recently updated its terms of service to permit training AI on user content without an opt-out option. Some legal experts, privacy advocates, and cybersecurity professionals are calling the new terms "excessive" and say it blurs the lines of what should be allowed in terms of consent, data privacy, and personal rights.
In a LinkedIn post today, Frank DePaola, VP & CISO at EnPro Industries, wrote this:
"This is extremely excessive. Will this be the new expectation from vendors that include functionality from AI models? I feel bad for organizations who don't have Legal or contract review teams that can weigh in on these risks. #ai #zoom #privacy #risk"
Alex Ivanovs breaks down the news in a Stack Diary blog post:
"In a detailed perusal of the newly updated terms, two sections—10.2 and 10.4—stand out for their broad-ranging implications on how Zoom is permitted to utilize user data. These sections establish Zoom's rights to compile and utilize 'Service Generated Data,' which is any telemetry data, product usage data, diagnostic data, and similar content or data that Zoom collects in connection with users' use of their services or software.
Zoom's updated policy states that all rights to Service Generated Data are retained solely by Zoom. This extends to Zoom's rights to modify, distribute, process, share, maintain, and store such data 'for any purpose, to the extent and in the manner permitted under applicable law.'"
Violet Sullivan, VP of Client Engagement at Redpoint Cyber, had this to say on LinkedIn today:
"Look closely at 10.2 and 10.4 updates: 'perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license....to redistribute, publish, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content.'
📸 Big Picture???
10.2 and 10.4 cover various aspects of #AI, including:
⭕ Collecting and using Service Generated Data for machine learning, algorithm training, and other AI functions.
⭕ Granting of rights and licenses to Zoom to enable using both Service Generated Data and Customer Content for AI applications, including development, analytics, and quality assurance.
⌚ Effective Date? Already passed.... July 27, 2023
...AND NO OPT OUT.
Looks like Google Bard, CloudAI, Google Translate others are updating their #Privacyterms to include #AIscraping too...
#Zoomprivacy"
After much backlash, Zoom has responded to critics, with Aparna Bawa, Zoom's Chief Operating Officer, saying this on Hacker News:
"To clarify, Zoom customers decide whether to enable generative AI features (recently launched on a free trial basis) and separately whether to share customer content with Zoom for product improvement purposes.
Also, Zoom participants receive an in-meeting notice or a Chat Compose pop-up when these features are enabled through our UI, and they will definitely know their data may be used for product improvement purposes."
Zoom's Chief Product Officer Smita Hashim posted on the company's blog this morning further explaining "How Zoom's terms of service and practices apply to AI features." Some key snippets from the blog post:
"At Zoom, our mission has been to empower our customers with innovative and secure communication solutions. As part of our commitment to transparency and user control, we are providing clarity on our approach to two essential aspects of our services: Zoom's AI features and customer content sharing for product improvement purposes. Our goal is to enable Zoom account owners and administrators to have control over these features and decisions, and we’re here to shed light on how we do that."
[RELATED: Zoom Traffic Through China: Company Apologizes, Announces You Can Control Data Routing]
More from the post:
"We recently introduced two powerful generative AI features—Zoom IQ Meeting Summary and Zoom IQ Team Chat Compose—on a free trial basis to enhance your Zoom experience. These features offer automated meeting summaries and AI-powered chat composition. Zoom account owners and administrators control whether to enable these AI features for their accounts.
When you choose to enable Zoom IQ Meeting Summary or Zoom IQ Team Chat Compose, you will also be presented with a transparent consent process for training our AI models using your customer content. Your content is used solely to improve the performance and accuracy of these AI services. And even if you chose to share your data, it will not be used for training of any third-party models."
And yet more:
"To reiterate: we do not use audio, video, or chat content for training our models without customer consent.
We remain committed to transparency, and our aim is to provide you with the tools you need to make informed decisions about your Zoom account. We value your privacy and are continuously working to enhance our services while respecting your rights and preferences."
In a comment to Sullivan's LinkedIn post, Scott Murphy, former Sr. Director, Legal and Chief Privacy Counsel at Homepoint, wrote this:
"The possible impacts to personal privacy are troubling enough, but I'd also be concerned about firm confidential information as well. A lot of confidential information is discussed, presented, etc. on Zoom meetings. What's to stop Zoom's AI from somehow scraping that too?"
Sullivan also asked a peer, K Royal, JD, PhD, Global Chief Privacy Officer at Crawford & Company, about the impacts the new terms of service would have on telehealth and any HIPAA interactions over the Zoom platform. Royal had this to say in her LinkedIn comment:
"AI is permitted to be used on PHI, however, it has to be for specific reasons and Zoom would be a BA, not a covered entity. Therefore, entities using them would have to restrict their use. BAAs allow for operational activities, which this could be broadly and loosely rolled into and would not likely fall under healthcare operations—there are AI uses specifically for healthcare, such as detecting tumors and identifying precursors to disease activity. This is none of that. Zoom was put in place for telehealth in an emergency and those dates have passed for enforcement discretion. Any covered entity which put Zoom in place during COVID needs to quickly revise those BAAs to restrict use."
