How privacy agreements impact data privacy for business users: Slack, Zoom and Microsoft Teams
The growing interest in third-party collaboration apps
The growing trend toward remote work is changing how people communicate in the workplace. Cloud-based collaboration apps and videoconferencing tools are making life easier for employees while helping businesses quickly adapt to this new digital world. But now that potentially sensitive conversations are happening via third-party services, what does that mean for your data privacy?
When Zoom’s popularity exploded as employees shifted to working from home due to COVID-19, bad actors quickly took advantage of the security weaknesses in the videoconferencing platform. Besides resulting in the new term “zoombombing,” these security breaches showed the privacy implications that you need to consider when you use cloud-based services.
But before you even start thinking how to protect against the security vulnerabilities of these tools, you need to understand what kind of privacy the service providers themselves offer for the data they collect from your users.
Here’s a look at some of the privacy agreement terms in three of the most popular collaboration services: Slack, Zoom and Microsoft Teams.
Slack: Privacy controls depend on what you pay
Slack has four tiers: free, standard, plus and enterprise. As is typical with multi-tier platforms, the privacy protections and controls in Slack vary greatly based on which one you use — and only the enterprise level comes with advanced options such as data-loss protection (DLP).
Last year, Microsoft reportedly banned Slack because all three lower service levels did not have adequate controls to protect the company’s intellectual property. While Slack Enterprise Grid does have such protections, the tier is geared toward very large or highly regulated enterprises — and chances are, not many smaller businesses can afford it. The company doesn’t disclose enterprise pricing on its website, but the tier below that, Plus, currently costs $12.50 per user per month, so you can do the math from there.
Slack terms of service you should know
A few highlights of what you should know about Slack’s privacy terms:
- Only the Enterprise Grid tier gives you more advanced controls such as custom terms of service and integration with DLP solutions. And it’s also the only level that’s compliant with regulations such as HIPAA.
- The standard terms of service (ToS) are vague. While they state the company has safeguards to prevent unauthorized access by its employees to user data, it’s not clear what kind of access Slack and its employees have. However, in an interview with Gizmodo, a spokesperson said that certain employees may look at your data in situations such as troubleshooting issues and database maintenance.
- When an employee signs up for the service with a corporate email address, the organization, rather than the employee, becomes the Slack “customer.” That means your business gets the admin controls and an authorized administrator such as IT can then manage settings, permissions and users.
Zoom: Don’t expect privacy by default
Zoom privacy issues have been the subject of numerous media reports since the service shot to popularity during the coronavirus pandemic. The company is also currently facing a class-action lawsuit that alleges the company violated the new California Consumer Privacy Act. One of the alleged violations relates to the Zoom IOS app sending user data to Facebook — including phone carrier, device type and the unique advertiser identifier — even if users didn’t have a Facebook account.
The company has since removed the offending code, but this is just one example of its privacy practices coming into question. As another example, Consumer Reports found various issues related to the platform’s collection and use of customer content (such as recordings and messages) for advertising purposes — and in response, Zoom again tightened its privacy practices.
Some general observations:
Although the service’s disclosed privacy practices are vague, you can glean some things from news articles and development such as the recent inquiry by New York’s attorney general. One is the controversy over its encryption practices.
Zoom originally stated the service offered “end-to-end” encryption but some security experts and media reports have challenged that claim, and the company then acknowledged its definition of “end-to-end” was not the same as the industry standard. Since then, the company announced it will start offering end-to-end encryption to paid accounts only. But after yet another round of media attention, it announced the feature won’t be restricted to paid accounts after all.
Microsoft Teams: More transparency
Teams privacy features
Some highlights of the privacy practices that apply to Microsoft Teams:
- Microsoft doesn’t sell the data or use it for marketing, advertising or commercial purposes such as market research but does use it for the purpose of improving its products and services.
- The company deletes personal data (for individual users) within 30 days of a user deleting it or discontinuing the service. Personal data includes anything from content and user profile to call history.
- If your company terminates the service, Microsoft retains the personal data for another 90 to 180 days, but in some circumstances may keep records related to billing for longer.
- The company says when its personnel need access to customer’s cloud data for purposes such as troubleshooting, access is granted under management oversight.
- A privacy whitepaper outlines in great detail what access subcontractors have and what Microsoft does to limit their access to customer data. Among other things, it says that the data is pseudonymized in many cases and in other cases vendors don’t require access to non-anonymized data though technically do have such access. Microsoft also provides a list of subprocessors on its website.
Bottom line: Implement your own policy
Even if you’re using one of the providers with stronger privacy practices, there is still the potential for data leak, simply because a meeting host can record a meeting and share the recording.
Before you allow employees to use these third-party collaboration platforms, create an internal policy and educate them what they can share and how they are allowed to use these services. And make sure the services are sanctioned and managed by your IT team so that you can have visibility into what platforms employees are using and how.
- Microsoft bans Slack and discourages AWS and Google Docs use internally, The Verge
- What’s Slack Doing With Your Data?, Gizmodo
- Zoom Faces Class Action Lawsuit for Sharing Data with Facebook, Vice
- Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account, Vice
- Using Zoom? Here are the privacy issues you need to be aware of, ProtonMail blog
- Zoom Calls Aren’t as Private as You May Think. Here’s What You Should Know, Consumer Reports
- Your Zoom videos could live on in the cloud even after you delete them, C-Net
- Are Zoom Chats Private? Here’s Why You Should Think Before Opening The App, Forbes
- New York Attorney General Looks Into Zoom’s Privacy Practices, New York Times
- Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing, The Intercept
- Exclusive: Zoom plans to roll out strong encryption for paying customers, Reuters