Reading time: 8-10 minutes.
Since the month of March, the world is in the middle of an unprecedented crisis with nearly 209 countries being affected by the novel SARS-CoV-2 Virus. To break the transmission of the virus, governments across the world-imposed lockdowns; these lockdowns rendered the employee incapable to commute for work which has prompted the corporations and educational institutions to switch to a digital domain.
It was in the month of March when the coronavirus outbreak sent shivers across the entire country, bringing a halt to the businesses and various industries with the entire world facing a global slowdown in the economy due to the massive crash of the stock market with India recording its biggest single day fall on 23rd March, 2020 and US recording it on 11th March 2020; both after the biggest global stock market fall in 2008. While these falls in 2020 are triggered by the Coronavirus, we see that the company – Zoom Video Communications has recorded a tremendous growth and has hit its peak market capitalization as the huge corporations are using this app to hold video conferences to continue their operations.
While the application had been in the market for several years, the recent pandemic has skyrocketed its download and use. This spotlight has, in fact, brought various concerns relating to cybersecurity and privacy of its users in light. It had only been a month that zoom had rapidly taken over its counterparts, when in April, a Plea against the video conferencing app was filed in the Hon’ble Supreme Court. The reason behind this plea being filed was the investigation reports by a major New York securities firm known as Labaton Sucharow LLP which conducted the said investigation on behalf of its shareholders, concerning allegations that “Zoom may have issues materially misleading business information to the investing public.”
With the growing use of the application, its market cap reached as high as Dollar 42 billion only to drop down by a significant 14.2% once the privacy concerns were brought to light. It was in no time that the New York City Department of Education, NASA, SpaceX and Google among the many other organizations banned its use. It is also pertinent to note that the FBI warned against its use after receiving harassment reports against its users. With the spurring up of privacy concerns with zoom, Taiwan became the first country to ban the use of Zoom stating that its use contravenes the rules laid out in the Cyber Security Management Act, 2019. Subsequently, the Ministry of Home Affairs on the 16th of April issued an advisory stating that Zoom is not a safe platform.
Arguments made in the plea
The plea in the Hon’ble Supreme Court to ban Zoom had been moved by petitioner Harsh Chugh through advocated Wajeeh Shafiq. The petition claimed that cyberspace risk is increasing every day due to the global connectivity and online services which make it easier to hack and access sensitive data of users. Chugh’s primary concern for filing the plea was that being a homemaker, he gives tuitions online in this time of pandemic and he is scared of security and privacy breach by the video conferencing application.
The petitioner in his plea made the following arguments:
- First, the petitioner started before the Hon’ble Court the legal provisions under which the video-telephony application is not safe for use. It was started that the application does not have end-to-end encryption, as a consequence of which, it is violative of the Information and Technology Act 2000 and Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
- Second, the petitioner in the plea submitted that the software application is also a threat to the individual’s privacy by citing the apology which has already been issued by the Chief Executive Officer of Zoom Video Communications. The apology states that the video conferencing app is faulty in terms of providing a secure environment digitally which is against the norms of cyber security. This further acts as a basis for the petitioner to contend that the application is highly prone to hacking and cyber breaches which have already been reported worldwide.
- The plea also holds other stakeholders responsible – the Centre through the Ministry of Electronics & IT and Cyber & Information Security Division of the MHA. Subsequent to this, the MHA issued an advisory stating the application is not safe for use.
- Further, the petitioner in the plea also argued on the data hording policy of the application and the issues of unauthorized access termed as “zoom-bombing” wherein a stranger can join Zoom meetings and share objectionable content. The petitioner in the plea contends that it is important to put in place a standard regulation to safeguard the rights of the citizens.
- The plea filed in the Hon’ble Supreme Court also said that it is not difficult to hack if a secure network is not used which has also led in several organizations across the world to ban the use of the app.
The plea filed through Adv. Wajeeh Shafiq also states that – “The global COVID-19 pandemic has drastically reshaped the way in which consumers, businesses and schools communicate. Rather than lending a hand to people in need, Zoom violates the privacy of its millions of users by misusing and exploiting their personal information and falsely, deceptively and misleadingly advertising fictitious security benefits of the program.”
Right to Privacy
Throughout the years, Right to Privacy is a matter which has been taken to the Hon’ble Court at multiple times with respect to various developments in the country. Recently, with Zoom skyrocketing in the market due to its ease of functionality has also been seen as the major cause of its downfall. The same ease of functionality which had attracted people to this video conferencing app resulted in security and privacy concerns being raised by the industry experts. With the privacy concerns on the rise, one of the most common arguments which is often aired in support of the surveillance measures and was done this time around too is the “Nothing to hid” argument.
While Zoom Communications is making the argument that it isn’t selling customers’ personal data – the company still admits that it shares some of your data with third parties which the privacy sticklers argue accounts as selling.
The video conferencing application which was largely preferred by everyone to continue their functioning grossly breaches the Right to Privacy in the following ways:
- Fake End to End Encryption
While the application advertises for End to End Encryption of calls, it states that it is not possible to encrypt each and every call e-2-e, which does not provide for a secure communication system.
- Selling user data
In a report by Motherboard, it has been observed that Zoom sells its customers’ data to Facebook for the purpose of advertising even if the user does not have a Facebook account. Subsequent to this, zoom reviewed and tightened its privacy policies and stated that it does not use any customer data for advertising. However, it has time and again been reported that selling od personal data continues even when people visit its marketing websites.
- Zoom bombings
Herein, uninvited attendees can also join the Zoom meetings and harass the participants, thus posing security threats.
- Email leak
Various reports on the functioning of Zoom have revealed that the application is selling user email addresses and photos to strangers which enables them to initiate calls with each other.
- Data mining
Another major privacy concern which was estimated with the use of the application was the undisclosed data mining feature that automatically matches user’s names and email addresses to their LinkedIn profiles when they signed in, even though they logged in as a guest.
- Attendee tracking
Another major concern which brought zoom under the radar is its “attendee tracking feature”. When this feature is enabled, it allows the host to check if the participant has clicked away from the main zoom window during a call. Subsequent to the concerns raised regarding this feature, the application on 2nd April permanently removed this feature.
It was just in a matter of months that Zoom had joined the coveted club of brands whose names have become verbs – as synonymous to video conferencing as Google is to search and Uber is to ride-hailing. However, this explosive growth did not come without consequences. The video conferencing tool which has been the ubiquitous form of communication during the COVID-10 outbreak is now facing the brunt of failing to put in place adequate privacy and security measures to protect millions of users which may be having highly-sensitive discussions on the application.
The recent past has been nothing short of a game of cat and mouse for the application wherein the flaws with its privacy and security practices have been brought into light. Security experts have also pointed out their concerns about the shady preinstallation code that allows Zoom to automatically install the application in Max once a user hits the download button without going through the security protocols. Along with the new development in the flaws of the application coming up, a 2019 report by researcher Jonathan Leitschuh also discovered the vulnerability of the application which allowed the attackers to gain access to the webcams of the users on Mac. This, however, was fixed later but the application continued to be criticized.
Security experts have suggested how the security issues can be mitigated, few of which are as follows:
Updating the application is the earliest defense to the attack by a malware.
- Use of waiting room option
Meetings should be setup so that no one is able to join them until the host allows.
- Use of random meeting IDs and passwords
It has been observed that hackers tend to sell meeting IDs which have been previously used and newly leaked. Thus, it is advised to use random meeting IDs and passwords.
- Use of different means to send weblink
It is advised to send the meeting ID by one mode of communication, and the password by other.
There are many more privacy focused alternatives to Zoom, however, they have their pit falls too. FaceTime and WhatsApp are end-to-end encrypted, but FaceTime only works on apple devices and WhatsApp is limited to just eight video callers at a time.
While Zoom is not inherently bad and there are many reasons why Zoom is so popular. It is easy to use, reliable and for the vast majority, it is incredibly convenient. However, Zoom’s misleading claims which gives users a false sense of security and privacy is also the biggest reason for its downfall. Whether it’s hosting a virtual happy hour or yoga class or using Zoom for therapy or government cabinet meetings, privacy is deserved by everyone. This breach of privacy led to the plea which was filed against zoom in the Supreme Court in the month of April and therefore, MHA has suggested to adopt platforms other than Zoom to continue the working and maintaining cyber hygiene by using certified software and programs.
Therefore, it can be concluded that the seven-year-old app appears to have – until now – prioritized functionality over security. The ease of setting up a Zoom meeting is a part of its allure, especially to the tech savvy people, which also leaves them dangerously exposed to hacking. This had resulted in a practice called zoom bombing, in which hackers hijack a call and broadcast hate speech, pro, and other inappropriate content. Owing to this, zoom released a security update on 5th April, but the question still remains – is it safe to use the application even now with its added security options considering the issues overweigh the solutions?
Author: Yashassvi Periwal from Symbiosis Law School, NOIDA.
Editor: Dhawal Srivastava from Rajiv Gandhi National University of Law, Patiala.