Skip to contentSkip to site index

A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles

After an inquiry from Times reporters, Zoom said it would disable a data-mining feature that could be used to snoop on participants during meetings without their knowledge.

Credit...Zoom

For Americans sheltering at home during the coronavirus pandemic, the Zoom videoconferencing platform has become a lifeline, enabling millions of people to easily keep in touch with family members, friends, students, teachers and work colleagues.

But what many people may not know is that, until Thursday, a data-mining feature on Zoom allowed some participants to surreptitiously have access to LinkedIn profile data about other users — without Zoom asking for their permission during the meeting or even notifying them that someone else was snooping on them.

The undisclosed data mining adds to growing concerns about Zoom’s business practices at a moment when public schools, health providers, employers, fitness trainers, prime ministers and queer dance parties are embracing the platform.

An analysis by The New York Times found that when people signed in to a meeting, Zoom’s software automatically sent their names and email addresses to a company system it used to match them with their LinkedIn profiles.

The data-mining feature was available to Zoom users who subscribed to a LinkedIn service for sales prospecting, called LinkedIn Sales Navigator. Once a Zoom user enabled the feature, that person could quickly and covertly view LinkedIn profile data — like locations, employer names and job titles — for people in the Zoom meeting by clicking on a LinkedIn icon next to their names.

The system did not simply automate the manual process of one user looking up the name of another participant on LinkedIn during a Zoom meeting. In tests conducted last week, The Times found that even when a reporter signed in to a Zoom meeting under pseudonyms — “Anonymous” and “I am not here” — the data-mining tool was able to instantly match him to his LinkedIn profile. In doing so, Zoom disclosed the reporter’s real name to another user, overriding his efforts to keep it private.

Reporters also found that Zoom automatically sent participants’ personal information to its data-mining tool even when no one in a meeting had activated it. This week, for instance, as high school students in Colorado signed in to a mandatory video meeting for a class, Zoom readied the full names and email addresses of at least six students — and their teacher — for possible use by its LinkedIn profile-matching tool, according to a Times analysis of the data traffic that Zoom sent to a student’s account.

The discoveries about Zoom’s data-mining feature echo what users have learned about the surveillance practices of other popular tech platforms over the last few years. The video-meeting platform that has offered a welcome window on American resiliency during the coronavirus — providing a virtual peek into colleagues’ living rooms, classmates’ kitchens and friends’ birthday celebrations — can reveal more about its users than they may realize.

“People don’t know this is happening, and that’s just completely unfair and deceptive,” Josh Golin, the executive director of the Campaign for a Commercial-Free Childhood, a nonprofit group in Boston, said of the data-mining feature. He added that storing the personal details of schoolchildren for nonschool purposes, without alerting them or obtaining a parent’s permission, was particularly troubling.

Early Thursday, after Times reporters contacted Zoom and LinkedIn with their findings on the profile-matching feature, the companies said they would disable the service.

In a statement, Zoom said it took users’ privacy “extremely seriously” and was “removing the LinkedIn Sales Navigator to disable the feature on our platform entirely.” In a related blog post, Eric S. Yuan, the chief executive of Zoom, wrote that the company had removed the data-mining feature “after identifying unnecessary data disclosure.” He also said Zoom would freeze all new features for the next 90 days to concentrate on data security and privacy issues.

In a separate statement, LinkedIn said it worked “to make it easy for members to understand their choices over what information they share” and would suspend the profile-matching feature on Zoom “while we investigate this further.”

The Times’s findings add to an avalanche of reports about privacy and security issues with Zoom, which has quickly emerged as the go-to business and social platform during the pandemic. Zoom’s cloud-meetings service is currently the top free app in the Apple App Store in 64 countries including the United States, France and Russia, according to Sensor Tower, a mobile app research firm.

As the videoconferencing service’s popularity has surged, however, the company has scrambled to handle software design choices and security flaws that have made users vulnerable to harassment and privacy invasions.

On Monday, for instance, the Boston office of the Federal Bureau of Investigation issued a warning saying that it had received multiple reports from Massachusetts schools about trolls hijacking Zoom meetings with displays of pornography, white supremacist imagery and threatening language — malicious attacks known as “zoombombing.”

Privacy experts said the company seemed to value ease of use and fast growth over instituting default user protections.

“It’s a combination of sloppy engineering and prioritizing growth,” said Jonathan Mayer, an assistant professor of computer science and public affairs at Princeton University. “It’s very clear that they have not prioritized privacy and security in the way they should have, which is obviously more than a little concerning.”

In response to news reports on its problems, Zoom recently announced that it had stopped using software in its iPhone app that sent users’ data to Facebook; updated its privacy policy to clarify how it handles user data; and conceded that it had overstated the kind of encryption it used for video and phone meetings.

Although profiling consumers and prospecting for corporate clients are standard practices in sales and customer relations management, privacy experts criticized Zoom for making the data-mining tools available during meetings without alerting participants as they were being subjected to them.

One service, called “attention tracking,” which Zoom also said it was removing on Thursday after reporters’ inquiries, displayed an icon “next to the name of any participant who does not have Zoom in focus for more than 30 seconds,” according to the company’s site.

In 2018, Zoom introduced the LinkedIn profile-matching feature to help sales representatives better profile and target sales prospects attending Zoom meetings.

“Instantly gain insights about your meeting participants,” a Zoom video promoting the service said. “Once signed in, you’ll be able to match participants to their LinkedIn profile information and view their recent activity.”

But neither Zoom’s privacy policy nor its terms of service specifically disclosed that Zoom could covertly display meeting participants’ LinkedIn data to other users — or that it might communicate the names and email addresses of participants in private Zoom meetings to LinkedIn. In fact, user instructions on Zoom suggested just the opposite: that meeting attendees may control who sees their real names.

“Enter the meeting ID number and your display name,” one section on Zoom’s Help Center said. “If you’re signed in, change your name if you don’t want your default name to appear.”

Similarly, Zoom’s privacy policy says that “some data will be disclosed to other participants” when a person uses Zoom. For instance, it says, “if you send a chat or share content, that can be viewed by others in the chat or the meeting.” But it did not mention that Zoom could show some users’ LinkedIn data to other users or disclose data about users’ participation in private Zoom meetings to LinkedIn.

Nicole Leverich, vice president of corporate communications at LinkedIn, said that fewer than 100 people per week were actively using the feature on Zoom and that LinkedIn did not retain the data about Zoom users.

Just after 1 a.m. Eastern time on Thursday, Zoom sent an automated message to users saying it had disabled the LinkedIn profile-matching feature “due to administrative issues.”

“We will notify you when the app is re-enabled,” the message said.

The Coronavirus Outbreak

  • Answers to Your Frequently Asked Questions

    Updated March 24, 2020

    • How does coronavirus spread?

      It seems to spread very easily from person to person, especially in homes, hospitals and other confined spaces. The pathogen can be carried on tiny respiratory droplets that fall as they are coughed or sneezed out. It may also be transmitted when we touch a contaminated surface and then touch our face.

    • What makes this outbreak so different?

      Unlike the flu, there is no known treatment or vaccine, and little is known about this particular virus so far. It seems to be more lethal than the flu, but the numbers are still uncertain. And it hits the elderly and those with underlying conditions — not just those with respiratory diseases — particularly hard.

    • What should I do if I feel sick?

      If you’ve been exposed to the coronavirus or think you have, and have a fever or symptoms like a cough or difficulty breathing, call a doctor. They should give you advice on whether you should be tested, how to get tested, and how to seek medical treatment without potentially infecting or exposing others.

    • What if somebody in my family gets sick?

      If the family member doesn’t need hospitalization and can be cared for at home, you should help him or her with basic needs and monitor the symptoms, while also keeping as much distance as possible, according to guidelines issued by the C.D.C. If there’s space, the sick family member should stay in a separate room and use a separate bathroom. If masks are available, both the sick person and the caregiver should wear them when the caregiver enters the room. Make sure not to share any dishes or other household items and to regularly clean surfaces like counters, doorknobs, toilets and tables. Don’t forget to wash your hands frequently.

    • Should I wear a mask?

      Experts are divided on how much protection a regular surgical mask, or even a scarf, can provide for people who aren’t yet sick. The W.H.O. and C.D.C. say that unless you’re already sick, or caring for someone who is, wearing a face mask isn’t necessary. The New York Times and other news outlets have been reporting that the wearing of face masks may not help healthy people, noting that while masks can help prevent the spread of a virus if you are infected, most surgical masks are too loose to prevent inhalation of the virus and the more effective N95 masks, because of shortages at health centers worldwide, should be used only by medical personnel. But researchers are also finding that there are more cases of asymptomatic transmission than were known early on in the pandemic. And a few experts say that masks could offer some protection in crowded places where it is not possible to stay 6 feet away from other people. Masks don’t replace hand-washing and social distancing.

    • Should I stock up on groceries?

      Plan two weeks of meals if possible. But people should not hoard food or supplies. Despite the empty shelves, the supply chain remains strong. And remember to wipe the handle of the grocery cart with a disinfecting wipe and wash your hands as soon as you get home.

    • Should I pull my money from the markets?

      That’s not a good idea. Even if you’re retired, having a balanced portfolio of stocks and bonds so that your money keeps up with inflation, or even grows, makes sense. But retirees may want to think about having enough cash set aside for a year’s worth of living expenses and big payments needed over the next five years.