How privacy agreements impact data privacy for business users: Slack, Zoom and Microsoft Teams

The growing interest in third-party collaboration apps

The growing trend toward remote work is changing how people communicate in the workplace. Cloud-based collaboration apps and videoconferencing tools are making life easier for employees while helping businesses quickly adapt to this new digital world. But now that potentially sensitive conversations are happening via third-party services, what does that mean for your data privacy?

When Zoom’s popularity exploded as employees shifted to working from home due to COVID-19, bad actors quickly took advantage of the security weaknesses in the videoconferencing platform. Besides resulting in the new term “zoombombing,” these security breaches showed the privacy implications that you need to consider when you use cloud-based services.

But before you even start thinking how to protect against the security vulnerabilities of these tools, you need to understand what kind of privacy the service providers themselves offer for the data they collect from your users.

Here’s a look at some of the privacy agreement terms in three of the most popular collaboration services: Slack, Zoom and Microsoft Teams.

Slack: Privacy controls depend on what you pay

Slack has four tiers: free, standard, plus and enterprise. As is typical with multi-tier platforms, the privacy protections and controls in Slack vary greatly based on which one you use — and only the enterprise level comes with advanced options such as data-loss protection (DLP).

Last year, Microsoft reportedly banned Slack because all three lower service levels did not have adequate controls to protect the company’s intellectual property. While Slack Enterprise Grid does have such protections, the tier is geared toward very large or highly regulated enterprises — and chances are, not many smaller businesses can afford it. The company doesn’t disclose enterprise pricing on its website, but the tier below that, Plus, currently costs $12.50 per user per month, so you can do the math from there.

Slack terms of service you should know

A few highlights of what you should know about Slack’s privacy terms:

• Only the Enterprise Grid tier gives you more advanced controls such as custom terms of service and integration with DLP solutions. And it’s also the only level that’s compliant with regulations such as HIPAA.
• The standard terms of service (ToS) are vague. While they state the company has safeguards to prevent unauthorized access by its employees to user data, it’s not clear what kind of access Slack and its employees have. However, in an interview with Gizmodo, a spokesperson said that certain employees may look at your data in situations such as troubleshooting issues and database maintenance.
• When an employee signs up for the service with a corporate email address, the organization, rather than the employee, becomes the Slack “customer.” That means your business gets the admin controls and an authorized administrator such as IT can then manage settings, permissions and users.
• According to the Slack privacy policy, the service logs a variety of metadata, such as content and links users view, IP addresses, browser and device type, location based on user as well as third-party data, date and time of user and so on. The company says it retains this data “for as long as necessary” after you deactivate your account, without specifying what the time limits may be. It can also share this data with others for unspecified “business purposes,” including with affiliates and third-party services, which may have their own privacy policies. While metadata doesn’t include the content shared on the platform, it does provide a treasure trove of other information about your company and users.

Zoom: Don’t expect privacy by default

Zoom privacy issues have been the subject of numerous media reports since the service shot to popularity during the coronavirus pandemic. The company is also currently facing a class-action lawsuit that alleges the company violated the new California Consumer Privacy Act. One of the alleged violations relates to the Zoom IOS app sending user data to Facebook — including phone carrier, device type and the unique advertiser identifier — even if users didn’t have a Facebook account.

The company has since removed the offending code, but this is just one example of its privacy practices coming into question. As another example, Consumer Reports found various issues related to the platform’s collection and use of customer content (such as recordings and messages) for advertising purposes — and in response, Zoom again tightened its privacy practices.

Highlights related to Zoom’s privacy policy

Zoom’s practices have evolved as more concerns surfaced, so you should review the most-current privacy policy. However, keep in mind that the policy — at least in its current iteration — doesn’t provide enough detail to truly understand how your organization’s data is impacted.

Some general observations:

• Zoom doesn’t monitor the meeting or its contents. However, meeting hosts may choose to have meeting recordings stored by Zoom in the cloud. It’s not clear from the privacy policy how long the company retains this content and who has access to it internally and for what purpose, but security researchers showed that it could be easy for unauthorized users to gain access to some of the cloud-stored recordings.
• While this is not mentioned in the privacy policy, according to a Forbes article, private chats are saved and viewable when the meeting host chooses to record the meeting locally (meaning on the device used to host the meeting). Your employees need to be aware that their “private” conversations are not truly private.
• Zoom collects a variety of meta data ranging from device and geographic location and participant emails, but doesn’t state in the privacy policy how long it retains that data and for what purposes it would be retained.

Although the service’s disclosed privacy practices are vague, you can glean some things from news articles and development such as the recent inquiry by New York’s attorney general. One is the controversy over its encryption practices.

Zoom originally stated the service offered “end-to-end” encryption but some security experts and media reports have challenged that claim, and the company then acknowledged its definition of “end-to-end” was not the same as the industry standard. Since then, the company announced it will start offering end-to-end encryption to paid accounts only. But after yet another round of media attention, it announced the feature won’t be restricted to paid accounts after all.

Microsoft Teams: More transparency

Microsoft’s terms of service and privacy practices are more transparent, not surprising giving the company’s maturity and position in the cybersecurity space. Even so, you’ll have to dig a little through various pages of the Trust section in addition to the privacy policy to get a more complete understanding of how the company handles Teams data.

Teams privacy features

Some highlights of the privacy practices that apply to Microsoft Teams:

• Microsoft doesn’t sell the data or use it for marketing, advertising or commercial purposes such as market research but does use it for the purpose of improving its products and services.
• The company deletes personal data (for individual users) within 30 days of a user deleting it or discontinuing the service. Personal data includes anything from content and user profile to call history.
• If your company terminates the service, Microsoft retains the personal data for another 90 to 180 days, but in some circumstances may keep records related to billing for longer.
• The company says when its personnel need access to customer’s cloud data for purposes such as troubleshooting, access is granted under management oversight.
• A privacy whitepaper outlines in great detail what access subcontractors have and what Microsoft does to limit their access to customer data. Among other things, it says that the data is pseudonymized in many cases and in other cases vendors don’t require access to non-anonymized data though technically do have such access. Microsoft also provides a list of subprocessors on its website.

Bottom line: Implement your own policy

Even if you’re using one of the providers with stronger privacy practices, there is still the potential for data leak, simply because a meeting host can record a meeting and share the recording.

Before you allow employees to use these third-party collaboration platforms, create an internal policy and educate them what they can share and how they are allowed to use these services. And make sure the services are sanctioned and managed by your IT team so that you can have visibility into what platforms employees are using and how.

 

Sources

1. Microsoft bans Slack and discourages AWS and Google Docs use internally, The Verge
2. What’s Slack Doing With Your Data?, Gizmodo
3. Zoom Faces Class Action Lawsuit for Sharing Data with Facebook, Vice
4. Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account, Vice
5. Using Zoom? Here are the privacy issues you need to be aware of, ProtonMail blog
6. Zoom Calls Aren’t as Private as You May Think. Here’s What You Should Know, Consumer Reports
7. Zoom Tightens Privacy Policy, Says No User Videos Are Analyzed for Ads, Consumer Reports
8. Your Zoom videos could live on in the cloud even after you delete them, C-Net
9. Are Zoom Chats Private? Here’s Why You Should Think Before Opening The App, Forbes
10. New York Attorney General Looks Into Zoom’s Privacy Practices, New York Times
11. Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing, The Intercept
12. Exclusive: Zoom plans to roll out strong encryption for paying customers, Reuters