Update: On 2023-08-11 Zoom has updated their terms of service again, so that they now don’t claim the right to sell your recordings for AI training anymore.

This does not change the fact that they shockingly tried to get away with claiming such rights until people (including myself) protested.


Zoom claims the right to sell your recordings for AI training

by Norbert Bollow, 2023-08-07

TL;DR summary: Zoom Video Communications, Inc. has updated its terms of service so that according to that document, everyone who uses zoom grants that company “sublicensable, and transferable” rights to use “Customer Content”, which includes session recordings, for AI training. Let’s discuss to what extent this may be a business problem for you and me, and what to do about this issue!

Yesterday evening I received an email with a link to an article by Alex Ivanovs about a change in Zoom’s terms of service; that article is titled aptly “Zoom's updated terms of service permit training AI on user content without opt-out”. (Here and in the following, I use “Zoom”, capitalized, to refer to the company Zoom Video Communications, Inc., like they do in their documents. By contrast, I use “zoom” to refer to the software and service provided by that company.)

I am particularly concerned about the aspect of recordings, the reason being that I’m a small business owner who creates value for his clients through teaching, training and coaching. It has taken me many years to learn what I have learned and to become who I am. No AI will ever be able to duplicate that, but it is conceivable that an AI (which is trained on my content and on my conversations with clients and potential clients) might be able to learn enough so that it can share more information with competitors than I would want to share with them, and to imitate me just well enough that what I do would no longer stand out as unique.

It is important to note that this AI threat is very different from what I consider to be healthy competition. Regardless of whether we like it or not, everyone benefits when I am inspired by some of the ideas and innovations that a competitor has come up with, and they are also inspired by some of my ideas and innovations.

By contrast, what generative AI would do (on the basis of recordings taken from me) would be low-quality imitation, cheaply mass-produced.

I wouldn’t expect an AI imitation of what I do to be able to actually deliver the results that my clients need. But it could conceivably provide a good enough imitation that people who listen to it won’t realize that they’re missing out on important bits and pieces. When that kind of cheap imitation is allowed to drive the real thing out of the market, only the AI company will win. Everyone else will lose.

So I checked the Zoom terms of service document to see what it says in relation to this kind of concern.

My overall impression is that the current version this document contains a very serious attempt to make it as difficult as possible for anyone to stop Zoom from appropriating, and selling for purposes of AI training, the vast body of knowledge that is contained in Zoom recordings created by their users. At the same time, they’re making it very easy even for someone who actually reads the “terms of service” document (which is not something that most users would be in the habit of doing) to overlook the provisions through which the document attempts to make you give Zoom the right to use your recordings for AI training.

Now I’m not convinced that this “terms of service” document actually legally has all the effects that it claims to have, especially in relation to the use of recordings for AI training. In just about every country, there are limits to how unfair and one-sided provisions in a contract can be before those provisions become invalid as a matter of law, or possibly even the contract in its entirety is considered invalid. This kind of argument will be strengthened by the situation that

But let’s for now make the (probably reasonable) assumption that regardless of whether what they’re planning to do is strictly speaking within the boundaries of what they’re legally able to do, if there is something that is practically possible for Zoom to do, and it appears likely to make them a mountain of money, and they believe that they can do it under the terms of the “terms of service”, then they will do it.

Zoom will clearly believe that they will be able to make a lot of money if they can store all the recordings made by its users, and license their collection of recordings to AI companies for purposes of training various AI models.

So let’s read carefully to learn what Zoom will believe that they can do in relation to recordings and AI training if they believe their “terms of service” to be legally valid, or if at least they don’t expect to get into serious trouble for pretending to believe it.

First of all, there is one paragraph which is explicitly about recordings, fairly high up in the document. It looks at first sight to be fairly innocent as far as the use of recordings for AI training is concerned. Here is what it says:


You are responsible for compliance with all Laws governing the monitoring or recording of conversations as the Host or Phone Host. A Host or Phone Host can choose to record, for example, meetings, webinars, or a phone call. By using the Services, you authorize Zoom to store recordings. You will receive a notification (visual or otherwise) when recording is enabled. If you do not consent to being recorded, you can choose to leave the recorded session.

Note this sentence: “By using the Services, you authorize Zoom to store recordings.”

So as soon as a recording is made, we should expect Zoom to store it for whatever purposes of their own that they believe to be profitable for them and allowed by their own “terms of service”. Note that that is independent of whether the “Host” uses “cloud storage” provided by Zoom or only (as far as the “Host” is aware) stores the recording on their own computer.

The only distinction is whether “recording is enabled”, at which point the participants will be notified about that.

Unsurprisingly, the definition of “Customer Content” in section 10.1 is such that when someone uploads or otherwise originates content, that is included in what is defined as “Customer Content”. I would certainly expect Zoom to understand this so that recordings are part of what is considered “Customer Content”.

Now of course we want to know what Zoom will think that they can do with such content. The relevant text is in section 10.4:

10.4 Customer License Grant You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content: … (ii) for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence …

Note that that isn’t limited to just Zoom’s own product and service development. Machine learning and artificial intelligence are listed as separate permitted purposes in addition to product and service development, and the claimed license grant is for a perpetual, worldwide, non-exclusive, sublicensable, and transferable license. And while the license from you to Zoom is royalty-free, Zoom does not say anything about whether that would also be the case for sublicenses granted by Zoom. I would expect Zoom to charge AI companies quite a lot of money when selling them, for purposes of AI training, access to the collection of zoom recordings.

Now while I was working on this article, Zoom added the following sentence, in bold, under section 10.4:

Notwithstanding the above, Zoom will not use audio, video or chat Customer Content to train our artificial intelligence models without your consent.
This sentence wasn’t there earlier today.

So Zoom is now actually promising something: They will not use our recordings without our consent to train their artificial intelligence models.

This does not say anything about whether Zoom’s collection of recordings will be licensed to other companies for AI training purposes.

It is also important to read the sections on “obligation of confidentiality” and the like, which to me seem to be about minimizing Zoom’s obligations to the absolutely minimum that they might be able to get away with under applicable laws, rather than about making any valuable commitments that would go beyond that minimum.

First there is this section:

10.5 Our Obligations Over Your Customer Content. Zoom will maintain reasonable and appropriate physical and technical safeguards to prevent unauthorized disclosure of or access to Customer Content provided by you to Zoom. Zoom will notify you if it becomes aware of an unauthorized disclosure or unauthorized access to Customer Content. Zoom will only access, use, collect, maintain, process, store, and transmit Customer Content in accordance with this Agreement, which may include Zoom’s consultants, contractors, service providers, subprocessors, and other Zoom-authorized third parties accessing, using, collecting, maintaining, processing, storing, and transmitting Customer Content on Zoom’s or your (or your End Users’) behalf in connection with the Services or Software. Zoom will ensure that any sharing of Customer Content with an authorized third party will be in compliance with applicable Law. Zoom has no other obligations with respect to Customer Content.

So this is about making sure that only Zoom and “Zoom-authorized third parties” get to access your content, and use it for AI training or whatever. Zoom can still authorize whomever they want.

The promise “Zoom will ensure that any sharing of Customer Content with an authorized third party will be in compliance with applicable Law” clearly doesn’t add anything to what Zoom’s obligations under those laws were anyway.

The final sentence, “Zoom has no other obligations with respect to Customer Content”, makes really clear that they don’t want to promise anything that they don’t have to do anyway.

Then there is a section 17 titled “Confidentiality” which defines “Confidential Information” very broadly in regard to what Zoom considers their own confidential information, but very narrowly in regard to you and me:

(ii) with respect to you, any information disclosed by you to Zoom that (a) must be kept confidential pursuant to applicable Law or (b) is sensitive security and technical information that is clearly and conspicuously marked as “confidential” by you

So no matter how confidential something that you discuss over a zoom call may be in the opinion of the participants of that conversation, if it isn’t something that must be kept confidential as a matter of law (like for example classified military secrets), and if it isn’t “security and technical information”, then from Zoom’s perspective, it cannot qualify as “Confidential Information” under these “terms of service”. And even if something truly is sensitive security and technical information, then I still would have no idea how I might go about ensuring that, in the context of a zoom session recording, it would be “clearly and conspicuously marked as ‘confidential’” in such a way that an automated process for training AI models on the basis of session recordings would reliably recognize that particular recording as one that would need to be excluded.

Also relevant is Zoom’s Privacy Statement, which says the following about meeting and webinar content, which might be understood to include recordings:

Zoom employees do not access meeting, webinar, messaging or email content (specifically, audio, video, files, in-meeting whiteboards, messaging or email contents), or any content generated or shared as part of other collaborative features (such as out-of-meeting whiteboards), unless authorized by an account owner, or as required for legal, safety, or security reasons, as discussed below, and where technically feasible.

Consider how narrow this is: It applies only to “Zoom employees”. It does not in any way restrict what an automated process for training AI models can do. It also does not in any way restrict what employees of other companies can do after such companies have bought access to Zoom’s collection of recordings.

Another point of concern is that this statement is under the heading “How do we use personal data?”, which might be understood as further narrowing the actual legal meaning of the statement to the kinds of data that are listed in the section “What personal data do we receive?”

Disappointingly, even a video recording of a person who can easily be identified on the basis of photos on the open Internet is not considered “personal data” from Zoom’s perspective. So their “Privacy Statement” doesn’t really help at all with respect to recordings. It essentially just shows their total lack of concern for any true privacy aspects of video recordings that would go beyond the lip-service of including the nice-sounding sentence “Zoom employees do not access meeting, webinar, messaging or email content.”

What to do about this?

Some obvious conclusions are that certainly, zoom’s “recording” feature should not be used for any meetings which have any content that any of the participants consider confidential, sensitive, or highly personal. Video content that has any significant commercial value should not be recorded on zoom or uploaded to zoom. The same applies to coaching sessions and recordings thereof.

Personally I’m considering to go one step further, in that I might make the choice of refusing to actively participate in any zoom session that is being recorded. (This would not stop me from listening to webinars with microphone and camera switched off, or from actively participating in any breakout rooms which are not recorded.)

For my own work with my clients, I have since quite some time been operating my own BigBlueButton server. I don’t trust zoom’s encryption. So for me, the whole issue is anyway not about meetings that I myself host, but only about the many zoom meetings and events hosted by others.

But then, maybe this is a problem that needs to be looked at as being bigger than only thinking about protecting my content and my work with my clients.

Perhaps the entire ecosystem of small businesses who provide any kind of consulting, coaching, training and/or teaching is at risk here? A bigger response may be appropriate, and needed!?