Throwing my hat in the ring of the Zoom terms hullabaloo. This one's gonna get a little technical, but as with everything in this space, the devil's😈 in the details. When I saw the posts about Zoom's terms allowing it to use #data to train its #AI models, I immediately went to the source to understand what they say (highlighted txt below). And that's when I saw the issue. Zoom's terms ATTEMPT to make a distinction between two types of data: "𝘊𝘶𝘴𝘵𝘰𝘮𝘦𝘳 𝘊𝘰𝘯𝘵𝘦𝘯𝘵" which includes user's audio and video calls, uploaded docs, chat content etc. vs. "𝘚𝘦𝘳𝘷𝘪𝘤𝘦 𝘎𝘦𝘯𝘦𝘳𝘢𝘵𝘦𝘥 𝘋𝘢𝘵𝘢" which includes product usage data, diagnostic data and other data generated by Zoom in the process of the use of the product. What they've TRIED to do is to say that: (a) Customer Content belongs to you, the customer, and they do not have any right to use it to train their models unless you consent. (b) Service Generated Data belongs to ZOOM and they CAN use it for their own purposes, including training their models. The problem is that the policy is drafted poorly and leaves room for interpretation and many questions unanswered. So, In order to "clear up the ambiguity" Zoom decided to add a clarification: "Notwithstanding the above, Zoom will not use audio, video or chat Customer Content to train our artificial intelligence models without your consent." When even this didn't help, their #CPO published a blog explaining the changes to the terms and how they apply. The problem is that all of these attempts to add more information simply created MORE uncertainty and more questions. For example, are transcripts auto-generated by their new AI feature (Zoom IQ Meeting Summary) considered "Customer Content" or "Service Generated Data"? If Customer Data isn't used to train AI models, why does Zoom need a license to use "Customer Data" for the purpose of training its models (see 10.4)? Why is Zoom only granting admins the option to opt-in/opt-out of model training when end-user data will also be captured and used? I'm setting the question of the legality of these changes and practices aside here for a sec. One of the takeaways here for #DPOs, #lawyers, and anyone involved in drafting these types of documents is that words matter, explanations (in clear and plain language) matter, transparency matters. Draft simply, be precise, use examples, because if you are ambiguous (deliberately or unintentionally), or if you try to fix the issue with broad statements (which are 𝐛𝐨𝐥𝐝𝐞𝐝, so they must be important...) people will call you out on it. I suggest Zoom's lawyers go listen to some of Mike Whelan, Jr. (he/him)'s Contract Teardown episodes on how to draft Ts&Cs, bcs the current ones are a bit of a mess. #gdpr #ccpa #privacy #dataprotection
What about the impact of privacy legislation here? Zoom has failed to incorporate basic principles of privacy, fairness etc. what are your thoughts Avishai Ostrin ?
Thanks Avisahi. Great post as always. This hullabaloo has shaken my confidence in this tool, especially when in comes to recording calls. I'm on the hunt for a more secure alternative. Is it naive of me to believe one exists?
Great work Avishai Ostrin. Now the question is what are viable alternative options?
Love this post Avishai! Interpretation is still one of our industry's biggest risks! 🤣 It would be excellent for consumers if these organizations had to follow writing standards like the Plain Language Act's principles. This could significantly impact how companies like Zoom create agreements. As the Act stresses, clear communication is vital in legal documents to ensure people understand their rights and what their forfeitting. The recent Zoom policy issue shows the importance of clarity. Unclear terms and subsequent attempts to clarify the original message highlight the risks of complex language. This well-written post reinforces the need for plain language, making agreements transparent and easy to grasp. Zoom's case is a reminder that simplifying language and providing clear examples can help companies avoid confusion, build trust with their consumers, and aid interpretation. It could be a win-win for companies and users. https://www.plainlanguage.gov/law/
Bingo As a result, I've started only meeting in person and bringing a notepad. While its taking longer to train the model, I feel like my shorthand is really keeping things on the up and up.
Dude I hope this starts a trend of lawyers tearing down contracts on social. Getting a look inside how other attorneys think through problems is so valuable as we all try to get better. Great work and thank you for sharing.
This is such a thorny topic, and really hard distinguish what is allowed and what isn't. You always hope that there is someone in charge there with a good, solid conscience to ensure that no personal data is used for the wrong purpose.
This is a great breakdown of the issue, Avishai Ostrin! FYI - Ross Saunders, CIPP/E Lauren Preston
And if they did make it clearer, would client data be used if an admin did consent? Assuming yes, which is not unreasonable, do you inform your 3rd party participants in Zoom meetings that their data is being used in AI training because you as an organisation thought it was a good idea? Secondly, do your own employees actually know that consent was given? And finally, who really took the decision, a zoom admin or was it taken at the proper levels of management including a relevant risk assessment to company confidentiality and possibly even data protection impact assessment? By default, in regards to any online services and specially video conferencing, the first question must be: does this service adhere to our level of confidentiality we also want to have for any physical meetings and how much access does the VC provider actually have to our audio, video, documents and chats irrespective of what they do or don’t do with it? Answer this question first and do it properly and only then decide on the proper solution for your organisation’s risk appetite. Still happy with Zoom? Then scroll back and answer the other questions, when done come back down here and look at your risk appetite for your video conferencing solution again.
Founder & CEO at TrustIZ | Data Privacy & AI Governance | DPO
1yLink to Zoom's Ts&Cs: https://explore.zoom.us/en/terms/ Link to CPO's blogpost from 7 Aug: https://blog.zoom.us/zooms-term-service-ai/