THE PRIVACY CONUNDRUM SURROUNDING THE ZOOM APP: A CRITIQUE
[Authored by Amol Verma, a 4th year B.B.A., LL.B. (Hons.) student of Chanakya National Law University, Patna.]
In wake of the Covid-19 Pandemic and the subsequent movement restrictions brought about to curb its spread, all interaction-based activities such as meetings, conferences, educational interactions have shifted to virtual platforms. The biggest gainer in this context has been the Zoom App, a video calling application that is being used extensively to meet the demands of virtual interaction. The application’s user base saw an unprecedented hike from 10 million users to about 200 million users in the aftermath of the pandemic. However, the application has been subjected to flak on account of various privacy issues. The security concerns are so grave that security experts, lawmakers, privacy advocates, and the FBI stated that Zoom’s default settings are not completely secure. Elon Musk banned the application’s use for SpaceX meetings and so has NASA.[i] Gradually, the Virtual platform is becoming a victim of its own success.
PRIVACY AND SECURITY CONCERNS
The privacy and security concerns with Zoom aren’t something new. Earlier in 2019, Apple had removed the Zoom Software from their Macs after a serious security vulnerability of the software let the websites hijack Mac Cameras. However, it is amidst the pandemic that the inspection over Zoom’s security aspect has intensified. The application generates an ID Number every time someone schedules a meeting. Researchers across the globe have found that these meeting IDs are easy to guess thereby allowing anyone to get into the meeting. Consequentially, it has resulted in “Zoombombing”, a practice where the pranksters in an unauthorized manner join these meetings and broadcast inappropriate videos.
Privacy advocates have argued that the application sends users’ data to Facebook without the permission of the users. To tackle this problem, Zoom was forced to update its iOS app in order to remove the code which sends the device data to Facebook. Perhaps recently the most shocking issue came to light. While Zoom ensures that one can “secure any meeting with the end-to-end (E2E) encryption”, the company admitted that it is misleading people. A Spokesperson for the virtual platform confirmed that it is not possible to enable the E2E encryption for the video meetings.[ii]
-- The Legal Soup --
POSITION IN INDIA
Owing to the security and privacy concerns Zoom was bound to be pushed into a legal soup. The Cyber Coordination Committee of the Ministry of Home Affairs has issued guidelines stating that the application is unfit for official governmental use with caveats against its private use as well.[iii]
In furtherance of these guidelines, the petitioner namely Bharat Chugh has filed a PIL[iv] under Article 32[v] seeking a ban on the video calling application on the grounds that it is not safe, does not have E2E encryption and is, therefore, ultra vires of Section 43 and 43A of the Information Technology Act, 2000[vi] and Rule 24 of the Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009[vii]. The petitioner makes a serious case considering the recent Judgment in K.S. Puttaswamy v. UOI[viii], wherein the Supreme Court upheld the Right to Privacy as a Fundamental Right guaranteed under Article 21[ix] of the Indian Constitution. Furthermore, the Petitioner has alleged that the application practices data hoarding thereby storing personal data of its users resulting in breach of data privacy. Zoombombing is likely to result in data theft and hacking due to improper monitoring of the participants in a meeting. Most importantly, the application has a bug that can very well be abused to leak confidential information of the users to third parties. The data of the users is being sent to the company without E2E encryption thereby making the information of the users vulnerable to abuse.[x] The application has misled the public by falsely claiming that the zoom video meetings are E2E encrypted whereas in reality it merely uses transport encryption. All in all, the application has caused grave violations of consumer privacy rights.
POSITION IN UNITED STATES OF AMERICA
In the USA, which happens to be the home jurisdiction of the application, the FBI has warned users of pornographic content being displayed during video meetings. Even reports of Zoom Conferences being disrupted by hate pictures and threatening language has also been witnessed. Serious incidents of Zoombombing have become prevalent which is indicative of the fact that the hackers are easily able to hijack the users’ webcam. In order to bring the situation to the judiciary’s cognizance, a Class Action Suit has been filed against Zoom by its shareholders in a court in California alleging that the application is ultra vires of the provisions of the California Consumer Privacy Act.[xi]
As may be inferred, Zoom is and can be further subjected to a host of legal actions. Actions can be brought for compensation under the Law of Torts, while Company Law Petitions and Class Action Suits have been brought as well. Constitutional petitions seeking ban as is the case in India can turn out to be a more common occurrence.
Now that Zoom’s security loopholes have been exposed, the application is working to create a more secure and safe platform. However, due to lockdown in most parts of the world, the magnitude of privacy breaches through the app is yet to be ascertained. It remains to be seen how many of such breaches have caused monetary or exemplary damages to the affected users. Without a vaccine in place, social distancing norms are unlikely to waive anytime soon. Therefore, the requirement of video interactions retains primacy. The onus lies on Zoom, as a service provider, to bring its software in line with the technological advancements while resolving privacy issues in order to run a successful business devoid of litigations.
[i] Elon Musk’s SpaceX bans Zoom over privacy concerns, memo shows, CNBC Tech (Jun.30, 2020, 10:39 AM), https://www.cnbc.com/2020/04/01/elon-musks-spacex-bans-zoom-over-privacy-concerns-memo-shows.html. [ii] Zoom meetings are not end-to-end encrypted, despite claims: What this means, The Indian Express (Jun.30, 2020, 11:32 AM),https://indianexpress.com/article/technology/tech-news-technology/zoom-meetings-not-end-to-end-encrypted-despite-claims-what-this-means-6341763/. [iii] MHA issues Advisory on Secure use of ZOOM Meeting Platform (Jun.30, 2020, 12:45 PM),https://www.mha.gov.in/sites/default/files/PR_MHAAdvisoryonZOOM_16042020.pdf. [iv] Ban use of Zoom app for official and personal purposes till a legislation is put in place: PIL filed in Supreme Court, Bar and Bench (Jun.30, 2020, 2:12 PM), https://www.barandbench.com/news/litigation/ban-use-of-zoom-app-for-official-and-personal-purposes-till-a-legislation-is-put-in-place-pil-filed-in-supreme-court. [v] INDIA CONST. art. 32. [vi] The Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India). [vii] The Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009 (India). [viii] K.S. Puttaswamy(Retd.) v. Union of India, 2017 10 S.C.C. 1 (India). [ix] INDIA CONST. art. 21. [x] Zoom Meetings Aren’t End-To-End Encrypted, Despite Misleading Marketing, The Intercept (Jun 30, 2020, 4:44 PM), https://theintercept.com/2020/03/31/zoom-meeting-encryption/. [xi] Zoom sued for overstating, not disclosing privacy, security flaws, Reuters (Jun. 30, 2020, 5:32 PM), https://www.reuters.com/article/us-zoom-video-commn-privacy-lawsuit/zoom-sued-for-overstating-not-disclosing-privacy-security-flaws-idUSKBN21Q10V.