> You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content.
> (ii) for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom’s other products, services, and software, or any combination thereof
What you and what you say need to be consistent to preserve user trust and then being inconsistent shows mismanagement by senior leadership or even potentially intent to deceive or spin the situation while still implementing the policy. It’s the PR classic do one thing say another.
Edit: Oh, and then this hits almost at the same time…
https://www.sfgate.com/tech/article/zoom-return-to-office-an...
One implication is that lawyers can no longer use Zoom for anything which is attorney-client privileged.
> We will not use ... protected health information, to train our artificial intelligence models without your consent.
> We routinely enter into ... legally required business associate agreements (BAA) with our healthcare customers. Our practices and handling of ... protected healthcare data are controlled by these separate terms and applicable laws.
To my understanding there is nothing in the separate terms (BAA) or applicable laws (HIPAA) that actually guarantees this.
I don't want to assume malice but if in good faith I would have expected an updated BAA with an explicit declaration regarding data access and disclosure in a legally-binding fashion rather than a promissory blogpost vaguely referencing laws that don't themselves inherently restrict the use of PHI for training by Zoom.
It would really only require a single term.
> Notwithstanding the above, Zoom will not use audio, video or chat Customer Content to train our artificial intelligence models without your consent.
It’s worth mentioning that per this agreement they can still do almost anything else with that data. They could put your face up on a billboard if they wanted to.
I’m out. I was a paying user. Can’t run fast enough from ever doing business with them again.
†but we'll prompt you an overly long privacy policy including such consent whose acceptation is just a checkbox you tick the first time your join a call without even paying attention (nor choice)
They'll do inference all day long, but not train without consent. Only being slightly paranoid here, but they could still analyze all of the audio for nefarious reasons (insider trading, identifying monetizable medical information from doctor's on Zoom, etc). Think of the marketing data they could generate for B2B products because they get to "listen" and "watch" every single meeting at a huge swath of companies. They'll know whether people gripe more about Jira than Asana or Azure Devops, and what they complain about.
Hats off to zoom for the free contract drafting lesson!
[edit: thanks to HN commenter lolinder for the actual lesson].
So they can create a transcript of the conversation and train with it. Or train on any document you may have shared during a Zoom meeting.
I woukd have preferred the exception - if that was the intent - to enumerate the components of the Customer Content that they want to use for training.
10.1 Customer Content. You or your End Users may provide, upload, or originate data, content, files, documents, or other materials (collectively, “Customer Input”) in accessing or using the Services or Software, and Zoom may provide, create, or make available to you, in its sole discretion or as part of the Services, certain derivatives, transcripts, analytics, outputs, visual displays, or data sets resulting from the Customer Input (together with Customer Input, “Customer Content”);
This is very Technologic
> [...] for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom’s other products, services, and software, or any combination thereof [...]
Those two clauses, coupled with the current murky state of AI-from-copyrighted-material, should make everyone run screaming from Zoom as a product that can be entrusted with confidential information.
In addition Skype's ToS granted MS a licence to any and all IP you might discuss during a Skype call.[1] I wonder why no businesses were bothered by that...?
[1] ...decades ago, I don't know how it reads now, can't be arsed to check.
Can you imagine the response to telephone company saying they can use your voicemail messages for their own purposes.
Seems like it might be worth them including, IANAL. Otherwise can't they just change it in the website UI...? They don't promise any particular process for acquiring consent, but sure declare you give it to them for many many other things.
> Notwithstanding the above, Zoom will not use audio, video or chat Customer Content to train our artificial intelligence models without your consent.
But what are the best alternatives at the moment?
Zoom is very popular…
You think a TOS that's biased towards the company, or the customer, has any legal effect on a Chinese domestic corporation that's subject to the laws and regulations of the Ministry of State Security? Really?
Which means that in the case where Zoom is provided to you by your employer, they claim that the employer consent is just what matters. Once more "Fuck GDPR".
It's baffling how many people in previous threads thought a company that gets most of its money from enterprise/business clients, will burn all their reputation by surreptitiously using client data to train their AI.
> Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without the consent of users. The settlement between Zoom and the filers of a class-action lawsuit also covers security problems [0]
> Mac update nukes dangerous webserver installed by Zoom [1]
> The 'S' in Zoom, Stands for Security - uncovering (local) security flaws in Zoom's macOS client [2]
[0] https://arstechnica.com/tech-policy/2021/08/zoom-to-pay-85m-...
[1] https://arstechnica.com/information-technology/2019/07/silen...
Occam's razor also applies here.
I now use Hanlon's Shaving Brush. Its a broad brush that I use to paint every sketchy move businesses make. "Is it malice? Or is it incompetence that merely looks like malice?". I don't care! I'll assume malice unless otherwise shown.
It's not my job to try and find out how evil shit was done accidentally. It doesn't matter if they "oopsied" into selling a firehose of my data to a "trusted partner" to analyze to death. Nobody actually gives a shit at these companies, so I need to treat them all as if they're malicious. If the underlying cause was a bit of incompetence a few years ago, that does nothing for me when I'm discovering the fuckery.
But, really, does it matter whether the bad thing is caused by incompetence or malice outside of a court of law? The bad thing happens either way.
I think attributing everything to incompetence vastly underrepresents intent. Maybe not all bad acts are malice, but too many are attributed to incompetence. Maybe it is not malice, but it can still be intentional actions against or indifferent to your interests.
Maybe it's both: malice to kick off the effort and incompetence because they got found out.
The word adequately, and the fact it was made when presuming good faith was more reasonable.
These days it's better to assume everything is theft, fraud, or marketing.
There is however research (that aligns with a lot of people's experience) to suggest psychopaths and sociopaths are very over represented in leadership:
Although there are a ton of alternatives out there they are all "too hard" or something, so since Zoom mostly works OK most of the time and is dead simple to use it will continue to win out over everything else.
My position on Zoom hasn't changed since 2020: Anyone using Zoom will continue to get exactly what they deserve.
Users vote with their feet based on cost and UX. While intertia is certainly a thing, there's a reason Zoom got a foothold while others didn't. The ability to send out links and having people join the meeting without creating accounts or manually installing clients first is huge in most real-world scenarios. Could you do that with... Teams? Skype? Hangouts if they weren't gmail users? Do those people know anyone with the knowledge and gumption to host something?
From the beginning of my involvement in FOSS like 25 years ago, developers have griped about non-technical users being intimidated, or even just really annoyed by UX resistance that we consider trivial. That's the primary reasons open source alternatives are alternatives rather than the standard in user-facing software.
this is how it used to be, until HTTPS and cloudflare-like hosting solutions, were guzzled back like electric kool-aid. all you really needed was an IP and perhaps a port number if endpoint was behind NAT.
I never really understood why people like Zoom's UX, I find it unintuitive and awkward.
https://techcrunch.com/2019/07/10/apple-silent-update-zoom-a...
https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-s...
https://www.macrumors.com/2019/07/10/apple-update-remove-zoo...
1) Until recently, Zoom's video/audio quality knocked everyone else's into a cocked hat. I don't think that's the case, anymore. Looks like a lot of folks got off their butts, and improved their quality, but I haven't seen this mentioned anywhere, by anyone.
2) Everyone else is using it.
#2 is a biggie. Monopoly inertia is pretty hard to overcome, for people not in the tech industry (we'll change on a whim).
Zoom is not easy to use. Its settings are a mess, but everyone is used to dealing with the Zoom pain, and don't want to switch.
We can be remarkably cavalier in dismissing non-tech folks, but I learned to stop doing that, many years ago. We're not the only smart people in the world.
People (in general) don't like getting sidetracked by their tools. They want to get a job done, and how they get it done is not irrelevant, but not that important to them. They develop and refine a workflow, which is usually heavily informed by their choice of tools, and that "wears a groove." They don't want to switch grooves; even if they are not enjoying their tool.
Most tech folks, on the other hand love tools. I had an employee that would stop his main project, and design a massive subsystem, just to make a simple command-line process a few seconds shorter. I had to keep on my toes. He was the best engineer I've ever worked with, but it was a chore to keep him focused.
Non-tech types are seldom like that, and we can sometimes miss it.
These are the folks that use our products, and we don't actually gain anything by disrespecting them, even when they really piss us off.
TL;DR: Want people to stop using Zoom? Produce something better, and make it something that non-tech folks will love.
That means easy to use, forget-about-it UX, and extremely high quality.
Or you inherently can't make it "forget about it UX and extremely high quality" as most non techies define it. Because you have the issue that even if a company self hosts a meeting tool, they likely can't get the backbone connections Zoom etc can get. They at least need someone to use a URL to get there. It can be made mostly simple, but then you're back to some company running it - works for corporate use maybe, not for your home user. Even Signal lags compared to Zoom. And people really dislike Signal's phone number requirement, but it's what makes it somewhat possible to route connections for users.
What's a system that a home person could use that's not going to get them routing through one companies servers, but is actually simple enough to use?
The place where I do get somewhat exasperated as a techie is that the equivalent of asking for a phone number or address in any program that isn't an e-mail website is seen as "too hard". This makes pretty much any privacy respecting design impossible to scale beyond nerds.
Well, I consider that to be my data and actually it is since I canceled our company's Zoom account when they adjusted their TOS. I'll take my data elsewhere.
The few with smarter lawyers and IT departments, usually academic, do but a majority of all of the new "AI" health tech products I've heard about pitched to hospitals use customer PHI for product development.
They basically claim that the customer (the one who signs the contract, not the Zoom user) who hosts the meeting is responsible for GDPR compliance by defining the right account settings. So if you are invited on a call you basically have no rights.
In sec. 10.4, Zoom says "... Zoom will not use audio, video or chat Customer Content to train our artificial intelligence models without your consent."
Customer Content is defined in 10.1 and is broadly worded. But the first sentence of sec. 10.2 clearly states that "Customer Content" does NOT include "Service Generated Data."
Therein lies the rub. "Service Generated Data" = "any telemetry data, product usage data, diagnostic data, and similar content or data that Zoom collects or generates in connection with your or your End Users’ use of the Services ...." (sec. 10.2).
Zoom is allowed to use Service Generated Data for any purpose (sec. 10.2) because it is not "Customer Content."
This "clarification" does nothing meaningful to assuage the serious data privacy concerns posed by Zoom's use of captured user video content.
This might be a loophole Zoom is trying to use - while they technically not using customer data (Zoom client not sending video stream to train AI), but zoom client can process data locally and send only embeddings (numeric vectors without ties to customer PII data) and it still will be customer data
Bold claim for a company that already lost a class action for deliberately lying to its users.
If my employer is the "customer" what say, if any, do I have as an individual?
By participating in a call am I giving Zoom permission to do things like train deep fakes of me?
This is all too Blackmirrory for my liking.
It's much the same as the issue that was raised a few days ago, where your employer instructs or expects you to lie. The only way they have to "force" you is to threaten dismissal; this is insufficient to justify the terms "compel" or "force".
A police officer holding a Glock can compel you. Your boss cannot.
I had the same issue when my EU-based employer was sold to an US company. My personal data suddenly went from EU to US-based HR systems without my consent. Resigning would not have fixed anything. My personal data will be in the US forever.
Read the TOS again. They are only speaking about customer consent. Not "user". If you are not the one signing the contract or are just invited to a call (not hosting) you basically have no rights to define settings such as any form of opt-out (assuming they exist).
All 350+ workstations.
We’re not buying it
The days of the “corporate responsibility” letter are over. Nothing you say will be believed if it conflicts with your bottom line.
There’s saying in Texas…won’t be fooled again
But this is par for the course for Zoom.
Don't we provide consent when we agree to the TOS? And we can't use the product without doing that?
