There’s No Telling What Data Facebook Will Collect If You Use Its Zoom Clone

Earlier this month, Facebook debuted its group video chat offering, Messenger Rooms, to a world under widespread pandemic lockdown, one that’s in large part replaced face-to-face meetings with streamed conversations. The chief beneficiary of this shift, Zoom, has spent months as a punching bag for privacy advocates, so Facebook was quick to assure users that it had “built Rooms with privacy in mind” and that “we don’t watch or listen to your audio or video calls.”

But today, well over a week after the rollout and nearly a month after Facebook announced and offered the privacy assurances about Messenger Rooms, it’s impossible to determine exactly what information will be collected about you and your life if you decide to use the product. The company’s public documentation of Messenger Rooms, including a post focused on privacy, offers very few details, although the privacy post promises, narrowly, that “audio and video from Rooms won’t be used to inform ads.” Facebook’s communications department spent weeks researching my questions about Messenger Rooms privacy, only to come back with few answers, and offering instead only links to a spate of vague policies that predate the product.

Those policies, and the few specifics Facebook has given publicly about Messenger Rooms, leave unanswered important questions about how the company handles the metadata around video calls — who you talk to, when you talk to them, from where, etc. — including what metadata the company retains and with whom it shares it. Even Facebook’s upfront pledge not to “watch or listen” to conversations isn’t ironclad, privacy experts said.

The takeaway is that Facebook’s latest product, like all its previous products and those of its competitors, requires a leap of faith. For those wondering what ditching Zoom for Facebook entails in complete and precise terms, there is quite literally no definitive answer, but only another question: Well, do you trust Facebook?

A Window Into Your Intimate Relationships

The privacy of Messenger Rooms is particularly important given how Facebook has positioned it to the public. Zoom is a contortionist technology, a service that now simultaneously facilitates workplace meetings, happy hours, and unsatisfying teleromance. Facebook is marketing Messenger Rooms for a more intimate role in your life, dispensing with talk of the workplace and offering instead “a new way to spend time with friends and family through group video calls when you can’t be together in person.” In an effort to assure would-be Rooms users that the service can be trusted, an April 24 blog post by Facebook Chief Privacy Officer Erin Egan outlines the kinds of data the company will collect if you use Rooms to host your next virtual board game night.

A few of them, at least. Finding a complete list of how Facebook will track your video chat sessions — and how this data could be used — is a fruitless experience, because if such a list exists, it isn’t shared with the public or the press. Rather, Facebook provides only what it provides for every other app and service in its stable: Hypothetical examples of data it could collect, but not an exhaustive accounting of what it does collect. The automated surveillance of Messenger Rooms sessions is alluded to, glancingly, but never fleshed out.

For the most crucial question — Will Facebook monitor my video chats the way it monitors the rest of my life? — we are provided only with this assurance from Egan’s post: “Regardless of whether you use Rooms through your Facebook account or join as a guest, we don’t watch or listen to your audio or video calls.”

But this pledge still leaves wide open the question of metadata collection, the sorts of more abstracted but still deeply intimate information about your conversations, like how often you talk to each of your contacts. Egan nods to metadata collection only once, acknowledging that Facebook may collect information “like the name of a room and who’s in it” and that it may share that information “with outside vendors that help us do things like reviewing and addressing issues reported by users.” As comforting as “we won’t actively spy on you” may be, the fact remains that “the name of the room and who’s in it” can be profoundly personal and as revealing as the contents of any conversation.

A Facebook spokesperson declined to share a full accounting of exactly what Rooms metadata is shared with whom.

But what other “information” might Facebook “share” with its “partners”? Who are these “outside vendors”? Egan writes that things “like” the name of the room you’re in might be tracked, but what else? By email, a Facebook spokesperson declined to share a full accounting of exactly what Rooms metadata is shared with whom, how long it’s stored, or to what end. When asked for a complete list of what information Facebook will extract from Messenger Rooms calls, the spokesperson pointed me to several different corporate documents, none of which add up to something resembling an exhaustive list. “The Privacy Matters post, help center article, our data policy and terms of service explain all the types of information we collect and the examples are used to help people understand what that means,” the spokesperson wrote.

This is where things begin to go around in circles. Facebook’s data policy and terms of service provide only an aerial view of the entire company’s data regimen across all its products, sites, and services, including photo-sharing service Instagram and messaging platform WhatsApp. Neither the data policy nor the terms of service mention Messenger Rooms by name; instead, what you’ll find in them are broadly general acknowledgements of what kinds of data, in a generic sense, Facebook reserves the right to siphon.

Facebook’s Slippery Privacy Policies

The Facebook “data policy,” which the company spokesperson repeatedly pointed me to as the firm’s canonical document for questions of information collection, is mostly built from vastly generalized statements (“We collect information about how you use our Products”) punctuated by slightly narrowed examples (“such as the types of content you view or engage with”). The word “include” or “includes” appears 10 times in the data policy, “for example” 19 times, and “such as” 30 times. Though these examples are helpful in getting an idea of how Facebook might monitor your video chats, they remain only examples. The two Facebook documents that specifically address Messenger Rooms’ data collection are light on details and refer curious readers to the official Terms of Service and Data Policy for a fuller rundown, though these documents, as mentioned, contain nothing specific to Messenger Rooms. The Facebook spokesperson confirmed that metadata collected from Messenger Rooms chats could be used for advertising purposes, but pointed to a general “About Facebook Ads” overview page that applies to the company as a whole and makes zero mention of Messenger Rooms.

Facebook’s canonical “data policy” is built from vastly general statements punctuated by slightly narrowed examples.

Facebook is similarly opaque about how long Messenger Rooms metadata — whatever it may be — is stored. A spokesperson told The Intercept only that “we impose strict controls and restrictions on how outside vendors use, store, return and destroy the data that we share, in accordance with relevant laws and our contractual agreements,” and declined to share the identities of said vendors.

Those reading the all-encompassing Facebook Data Policy might be puzzled by a section toward the top that seems to contradict the company’s pledge to not eavesdrop on your video chats. In this document, the social network notes, “We collect the content, communications and other information you provide when you use our Products” and “Our systems automatically process content and communications you and others provide to analyze context and what’s in them.” To most humans unaccustomed to big tech legalese, this seems at odds with the simple claim that “we don’t watch or listen to your audio or video calls,” or at least would seem to suggest that the company reserves the right to do so later.

Chris Hoofnagle, a law professor at the University of California, Berkeley, explained that Facebook’s claim that it won’t listen in on Messenger Rooms would make it legally difficult to do so in the future — but not impossible. “Once your organization becomes used to using Facebook, Facebook can change policies and most people won’t churn, because the transaction costs in changing services is higher than it appears from a straightforward economic analysis,” he said.

Frank Pasquale, law professor at the University of Maryland, agreed that this promise is likely short of bulletproof. “I do think it’s an enforceable contract until [Facebook] changes the terms of service, which they have done repeatedly,” Pasquale explained via email. “Users rarely if ever review such changes, and even if some do, most people will probably just keep using the service. So there’s probably a high risk of that change happening, and there being no significant consequences for [Facebook].”

“Facebook can change policies and most people won’t churn.”

Even understanding how Facebook is using certain words is tricky for Messenger Rooms users. “What does watch/listenThere’s No Telling Wh mean?” asked Hoofnagle. “Most users cannot even conceive of the idea that [machine learning] could ‘watch’ a video, tag identities, try to make sense of lip movement, and so on. So, what I find frustrating about these kinds of representations is that they are based on 20th century concepts of surveillance, rather than contemporary ones that do not require a human agent to perform collection and analysis.”

When asked about this sort of machine-aided monitoring, the sort Facebook employs constantly and on an enormous scale in other services, a company spokesperson indicated that the company will not engage in it in Messenger Rooms, writing, “We don’t watch or listen to the audio and video of calls in Rooms, so we don’t analyze that content, and the Privacy Matters post, help center article, our data policy and terms of service explain what types of information we collect and how it’s used.”

The elusiveness of firm answers about Messenger Rooms (direct eavesdropping aside) is not unique to Facebook, nor to its video chat competitors. Google’s terms of use and privacy policy span 44 pages of text and, like Facebook’s, provide only “such as” and “including” examples of how you’re watched when you use their products. Zoom has not only a miserable track record of data security and privacy practices, but a history of misrepresenting them (Zoom’s privacy policy is also a constantly evolving horror show of its own). A recent Consumer Reports analysis of Webex, Skype, and Google Meet’s privacy policies found all three lacking and unclear. Apple’s FaceTime provides a superior alternative from a privacy perspective, but lacks many of the features that’ve made Zoom so wildly popular, and, of course, will exclude your Windows and Android pals.

Those spooked by Zoom’s dismal privacy record and hoping for an unambiguously superior alternative will find no such thing, nor will they find comfort in Facebook’s or Google’s privacy policies, no matter how long they dig. “The disclosures are never detailed enough to determine what’s going on,” said Hoofnagle. “[Privacy] language is strategically used to maintain future options, and even where companies make specific promises, they can just change them by making a take-it-or-leave it offer.” If Zoom’s dismal track record makes you curious about Facebook’s alternative, there’s still quite literally no way to determine with full certainty what you’re agreeing to should you take your social-distancing book club to Messenger Rooms instead. With Facebook’s stock price hovering around an all-time high and a captive quarantined audience of billions, there’s little incentive for clarity.