Zoom's Terms of Service Change Asking Permission to Train with Artificial Intelligence
An analysis of the changes and comparison to other tools
I think I have whiplash. On Linkedin, on August 7, I promised to write a longer post on Zoom’s Terms of Service changes. To recap, they updated Sections 10.2 and 10.4 and then they released a blog post explaining their changes. The public backlash was fierce! Reminds me of when I noticed OpenAI’s API terms allowed them to use your inputs to train their LLM and then their quick about face.
Congratulations to everyone who noticed and wrote about these changes because Zoom updated their terms of service on August 11, 2023 and it was quite a change, thus, the whiplash.
I am sure they were shocked at the response to their initial terms of use update on August 7, and how quickly it came. It is unusual for a legal document, often seen as boring and often skipped, to be read right away and then make press coverage.
Disclaimer: My thoughts below are personal and do not constitute legal advice. Please seek the advice of your own advisors about what tools you feel comfortable using. Punch line: I was less comfortable continuing to use Zoom, but they faced the music, did a mea culpa and have earned back my willingness to continue using their service for specific purposes. I am a believer in second chances. However, I will be giving another tool a try that has more privacy preserving practices for my more private conversations.
But I promised a post on Zoom’s terms of service changes so here it is. This blog post is structured to cover the following topics about Zoom’s terms of use: What is customer content? What is machine learning and artificial intelligence? What is service generated data? Comparison of Zoom to a few other platforms.
I will try to stay on target and focused because there are a lot of potential rabbit holes.
What is “Customer Content”? I’m not going to rehash Zoom’s definition because it is all legalese and you can read, obviously. Here is how I use Zoom. I use Zoom for video calls with customers, prospects, team members, webinar guests and podcast guests. I also use it to record product demos. Customer calls may or may not contain confidential information because they may be telling me information about their business that is confidential, such as their security stack. Calls with prospective customers usually include product demos and are usually conducted before any confidentiality agreement is put into place. Calls with my team include white board sessions where we talk about product roadmap i.e. highly confidential and proprietary. Often these meetings also include personal information, talking about our weekend or sharing things about our lives. I also use Zoom to record my podcast, which is publicly published, and to record product demos, so that is not confidential.
But I am also on the other side of Zoom, meaning I am invited to webinars, I am a prospective customer to other businesses and generally networking. When it is someone else’s Zoom, I become their user. This is important to realize when you read the Zoom terms of service because you are responsible for granting permission to your user’s content.
The bottom line is that there is confidential and non-confidential information about me and other people on my Zoom account and other people’s Zoom accounts. I do not wish to give Zoom permission to use it other than for Zoom to facilitate these connections and recordings. Frankly, I don’t want any employee at Zoom to even view my content unless I am calling customer support and giving them permission. It’s mine and, if I did consent, it would have to be on a case-by-case basis. If they add a feature, like voice recognition for verifying that the person on the other side is who they say they are, I may, or may not, give my consent.
What is “machine learning and artificial intelligence”? Using these terms is what irks me the most about their online agreement. In their terms of service, Zoom sought permission (now since removed) from you to use their service generated data and your customer content for “machine learning” and “artificial intelligence.” Personally, I think using generic terms like that, that most people debate the meaning of, is confusing.
In fact, I asked Google Bard what the difference is between artificial intelligence and machine learning. It responded with “I'm a language model and don't have the capacity to help with that.” LOL
If artificial intelligence doesn’t know, then how is a human supposed to know and provide valid and informed consent?
So, I decided to seek a source that may be a bit more authoritative, Columbia University. They basically said that artificial intelligence is the category and machine learning is a subset of that category. Helpful.
Ironically, when I worked at Clarifai, which is a deep learning company building products that offer image recognition, we debated the terms used in the artificial intelligence community frequently, preferring to be specific about describing the company as a deep learning company.
Personally, I want to know what type of artificial intelligence Zoom is using on my customer content before I give them permission, like the voice recognition example I gave above. If it is generative AI, then my worry meter goes up because of the OpenAI terms (specifically, the difference between how they handle API content and non-API content). I also would like to know what companies Zoom is relying on for the artificial intelligence and machine learning or whether they are building these technologies in-house. That actually makes a big difference to me. If they are sharing it with a third party, I want to know if they forbid that third party from any onward transfers because this is the rabbit hole (and you know I love rabbit holes) as to how our private data becomes exposed. If it is Zoom building in-house, well, they already have it anyway so I feel a little re-assured.
Hey Zoom, where is your list of sub-processors? Anyone else find that link?
Luckily, they updated the terms of service on August 11 with this statement:
"Zoom does not use any of your audio, video, chat, screen sharing, attachments or other communications-like Customer Content (such as poll results, whiteboard and reactions) to train (emphasis added) Zoom or third-party artificial intelligence models. (from the August 11, 2023 Zoom Terms of Service update)"
I guess, based on what Columbia University said, we can assume artificial intelligence covers machine learning.
I guess, also, that they are still using customer content to test and run existing artificial intelligence and machine learning models?
So I asked an expert, Meghan Anzelc, PhD, Chief Data & Analytics Officer at Three Arc Advisory, who I happened to be on a panel with a couple of months ago, about how artificial intelligence and other models are built, trained, tested and maintained, and she contributed the following (and a blog post here):
She adds, “In addition to the types of AI that can be developed from your data, it’s also important to consider how else your data can be used in both AI development and use. Zoom’s updated terms exclude training of AI models but in principle can still test or run models on Customer Content. For example, Zoom could use a third-party customer segmentation model and run it on your customer content, or could use an already-developed content topic model to identify which topics are in your content, for what fraction of time, with which other customers and attendees.”
All of these are specific uses where I would want my specific and informed consent.
Finally, there is some question about whether they are using humans to review customer content for legal, safety and security purposes? I actually prefer artificial intelligence in this context but this is another rabbit hole (and thank you to Meghan for also pointing this out).
What is “Service Generated Data”? As I mentioned in my blog post, this defined term is not well defined to me, the average user. Telemetry data is a not a term that I am comfortable with in general. I have read many definitions and it still doesn’t really “stick” in my brain as to what it is. Is it data about whether my wifi connection caused me to get disconnected from a meeting? Zoom then goes on to define service generated data as “product usage and diagnostic data.” Hmm, okay. How is that different from “telemetry data” because diagnostic data sounds like the example I gave above, which is when connection to Zoom is lost. So, I go back to, what is telemetry data again? Is it my earphone connection enabling Zoom audio? Wikipedia was helpful to me because it gives a specific example of telemetry data in their description of its use for software. I won’t repeat it here, but it does say that telemetry data is personal data. And it shows a picture of a crocodile and a bee with a little device on them to track them. Now I get why Alexander Hanff and other privacy experts have been raising the alarm on this part of the terms of service.
I also still loathe that they kept in “and similar data” to their ownership of this service generated data. It casts a wide net that is subject to interpretation. And this is where, if you are a user, you have to look at their Privacy Policy. (looks at privacy policy)
Ummm, huh.
Here is how I would re-write that section in Zoom’s Terms of Service to give customers better assurance. “Telemetry data (excluding any telemetry data that would be considered personal data according to our Privacy Policy), product usage data or diagnostic data that Zoom collects or generates in connection with your or your End Users’ use of the Services or Software are referred to as Service Generated Data. For purposes of clarity, Service Generated Data does not include Customer Content or the content of your audio, video, in-meeting messages, in-meeting and out-of-meeting whiteboards, chat messaging content, transcriptions, transcript edits and recommendations, written feedback, responses to polls and Q&A, and files, as well as related context, such as invitation details, meeting or chat name, or meeting agenda. Zoom owns all rights, title, and interest in and to Service Generated Data.”
Comparison with another tool? I checked out three possible alternatives. To be fair, I am a fan of Microsoft’s commitment to privacy, but I find too much friction with Teams to voluntarily switch to it, so I will not be doing a review of their terms. I checked out Meetn.com based on the recommendation of M.E. Nara to my Linkedin post. Other than finding that their terms of service and privacy policy need some attention by an attorney, I could not find anything that concerned me. However, I did not find anything that reassured me either. Looking at their product, they seem to combine sales with video, so I don’t know that they cover all my use cases I mention in the first section. I would be interested to know people’s reaction to them. And what I mean about reassurance is that I don’t see anywhere a term that states they will not use my content other than to just provide me with the services, which is what I would expect . Nor do they say that they have no access to my video and audio recordings, which deserves the gold star in my book.
Another commenter, Annah, pointed me to Apple and Facetime. I have never considered Facetime for business use! I only use it to talk to friends and family on my phone. Anyway, typical for Apple, their privacy terms are very comforting. Notice how they directly address my questions, such as what content of mine do you collect (they explicitly state they cannot access the content of my calls) and what they do use to provide the services and improve them. It’s a viable alternative.
The last video conferencing tool I reviewed is Jitsi. The first place that Jitsi falls down is that their terms and privacy policy have not been updated in years. But what I do like is that their privacy policy is very clear about what content, including personal data, they need access to in order to provide the services and they also write in bold that they only use your customer content to provide you with the services.
This comparison led me to my conclusion I stated in my intro. Some Zoom, some not Zoom.
Finally, and this may seem self serving, but it comes from the heart, sometimes us lawyers get the blame and we deserve it, but I don’t blame the lawyer here. I want to point out that these types of changes had to have been sought by management and approved by them. As an attorney myself, that’s how this process works. Did management carefully review the proposed changes? Did they warn marketing about them and the potential backlash? Was it intentional or unintentional? We will never know. I just hope that the lawyer who wrote it doesn’t get fired.
In conclusion, because of the press and attention, Zoom changed their terms on August 11 and removed most (but not all) of the concerning terms from their terms of service. I’ll take it as another win for #privacy.
About the author: Caroline McCaffery is a co-founder at ClearOPS, a lawyer and a thought leader who wants her blog posts used to train A.I. She is currently the host of The vCISO Chronicles podcast and a contributor to this blog post. You can connect with her on Linkedin.
About ClearOPS. ClearOPS is a Generative AI automation platform for vCISOs. ClearOPS focuses on the problems of vCISOs and solves them so that they can grow their client base. Inquiries: info@clearops.
If you like this post and want to see more, please subscribe.