← Video Conferencing
F

Zoom

Fail
Zoom Video Communications · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: us.zoom.videomeetings
Manufacturer: Zoom Video Communications

⚠️ The bottom line

In August 2023, Zoom updated its terms of service to grant itself a perpetual, worldwide, royalty-free licence to use customer content for AI training. The backlash was immediate — customers, privacy researchers, and enterprise clients all revolted. CEO Eric Yuan said it was a "mistake." Zoom rolled it back within days. But the attempt revealed the instinct: when nobody was watching, the first move was to claim ownership of every conversation on the platform. Zoom marketed its calls as "end-to-end encrypted" for years. In 2020, the FTC proved they weren't — Zoom maintained access to meeting content, and the encryption keys were generated on Zoom's servers, not on users' devices. Some calls were routed through Chinese servers even when no participants were in China. The company that 500 million people trusted with their meetings during lockdown was lying about encryption on its marketing page.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
0/4 N/A
Is someone spying on me?
Data Sharing
3/4 HIGH
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
5Contradictions
2Critical
2High
1Medium
3Sources
Findings by concern
Data Sharing 3/4 HIGH 2 findings
⚠️ criticalpolicy claims vs firmware analysis
In August 2023, Zoom updated its terms of service to grant itself a perpetual, worldwide, royalty-free licence to use customer content for AI training. The backlash was immediate — customers, privacy researchers, and enterprise clients all revolted. CEO Eric Yuan said it was a "mistake." Zoom rolled it back within days. But the attempt revealed the instinct: when nobody was watching, the first move was to claim ownership of every conversation on the platform.

What they claim: Zoom respects privacy and requires consent for data use.

What we found: March 2023 ToS: 'perpetual, worldwide, royalty-free, sublicensable license' for all video/audio/chat for AI training. No opt-out. CEO: 'process failure.' Reversed Aug 2023 only after backlash from EFF, Bellingcat, and millions of users.

⚡ highfirmware analysis vs regulatory findings
In February 2023, a Zoom executive told CNBC that Zoom doesn't train AI on customer content. The terms of service at the time said the opposite — granting Zoom a perpetual, worldwide licence to use customer data for machine learning. After a public backlash led by security researcher Jonathan Leitschuh, Zoom updated the terms. "Zoombombing" — strangers invading meetings — was so common in 2020 that the FBI issued a formal warning and New York schools banned it entirely.

What they claim: Zoom meetings are secure by default.

What we found: Zoombombing (2020): no default passwords, strangers joining meetings. FBI warning. Schools banned Zoom. Default security prioritized ease-of-use over protection.

Security 3/4 HIGH 2 findings
⚠️ criticalpolicy claims vs firmware analysis
Zoom marketed its calls as "end-to-end encrypted" for years. In 2020, the FTC proved they weren't — Zoom maintained access to meeting content, and the encryption keys were generated on Zoom's servers, not on users' devices. Some calls were routed through Chinese servers even when no participants were in China. The company that 500 million people trusted with their meetings during lockdown was lying about encryption on its marketing page.

What they claim: Zoom provides end-to-end encryption for secure communications.

What we found: FTC settlement (2020): falsely claimed E2EE while using transport encryption (Zoom held keys). Routed calls through China. 20-year compliance order. Genuine E2EE added later but opt-in, disables recording, breakout rooms, and other features.

⚫ mediumfirmware analysis vs policy claims
Zoom offers real end-to-end encryption now — but turning it on disables breakout rooms, polling, live transcription, cloud recording, and phone dial-in. The feature that would actually protect your conversations breaks so many other features that Zoom's own documentation discourages using it for most meetings. Encryption exists on paper. In practice, it's a toggle almost nobody clicks.

What they claim: E2EE provides genuine security.

What we found: E2EE opt-in, disables cloud recording, transcription, breakout rooms, polling, reactions, join-before-host. Most orgs leave it off. Secure option designed to be inconvenient.

Honesty 3/4 HIGH 1 finding
⚡ highpolicy claims vs app permissions
If your employer turns on Zoom's data-sharing features, your only option is to leave the call — there's no individual opt-out. Your boss's consent counts as yours. In 2023, the FTC fined Zoom $150,000 for deceptive security practices and required 20 years of independent security assessments. The fine for a company with $4.5 billion in annual revenue: 0.003% of one year's earnings.

What they claim: Users control their own data sharing.

What we found: Host consent applies to ALL participants. No individual opt-out without leaving. For employees, employer consent is coerced consent. EFF: 'how is that really consent?'

Sources