PrivacyTechnology in the Law Classroom
ZOOM: Your Privacy Graveyard?
The World today is in the midst of an unprecedented crisis, and the impact of the same is not lost on anyone. Nearly 209 countries have been affected by the novel SARS-CoV-2 virus. However, as it has time and again been said, it’s the times of crisis that drive innovation and expedite the adoption of technology. The current crisis is no exception.
To break the transmission of the virus, the Government of India has imposed a nation-wide lockdown, which shall remain in effect till May 3rd, 2020. The lockdown has rendered the employees incapable to commute for work, which has prompted corporations and educational institutions to shift towards the digital domain to remain functional. Companies are using various digital tools and virtual workspaces to hold meetings and remain connected. In order to compensate for the loss of studies during the lockdown period, educational institutions and coaching centers too, are now switching to online classes. Unable to socialize physically, people have taken to virtual meetups over video calls. In India, virtual courts are being held over video-conferencing platforms.
One of the more popular platforms that everyone – from schools to major companies; and even India’s union ministers seem to have embraced, is the Zoom video-conferencing app. The application has been around for quite a long time now, however, the recent pandemic has skyrocketed its download and use. The company has, according to its CEO’s blog post, reached 200 million daily users, instead of the earlier 10 million per day.
This spotlight has, however, brought to the forefront many concerns related to cybersecurity and privacy of its users. Various infosec experts and cybersecurity companies have voiced their concern over the default settings of the application, which are apparently weak and unoptimized, so much so that it allows strangers to intrude meetings. There were many reports of people ‘zoombombing’ meetings or online classes and causing disruption.
The application also came under the scanner, after Patrick Wardle, an ex-NSA hacker wrote a blog on how the application installer could be tampered to gain additional privileges to a user’s computer including access to webcam and microphone. This could possibly lead to anyone having root-level access to your device (cell phones/laptop) and use your webcam to snoop on you. Root-level access to your laptop could mean disaster for an individual’s privacy and security, as it can be used to capture one’s keystrokes and make changes at the administrator level. The company recently, also faced a class-action lawsuit in California after it was revealed that it was sharing users’ data with Facebook, without clearly notifying them about it, following which the company released a security patch fixing the issues.
A common argument that is often aired in support of the surveillance measures, or is used as an excuse for showing no worry towards any breach of privacy is the “Nothing to Hide” argument. People say that since they do not have anything to hide, anything to worry about as they have done no wrong, they mustn’t oppose the data collection measure, whether state-sponsored or by private players. Professor Solove makes a compelling case against this argument in his paper, which says, “So do you have curtains?” or “Can I see your credit card bills for the last year?” He posits that every man has something or the other to hide, that might be something unlawful or merely embarrassing to reveal.
Another privacy hazard that was revealed was the encryption of Zoom calls. While Zoom advertises end-to-end encryption on its website, a spokesperson has conceded that it is not possible to encrypt calls E2E. Further, whatever level of encryption the application does use, the server which it uses to exchange keys is located in China, making it susceptible to any cyberattack by Beijing.
Amid growing concerns, the Cyber Coordination Centre of India recently issued an advisory on the cautious use of the application by private individuals and companies while completely banning its use by government entities. The CyCord has advised that all government departments use the Video-Conferencing services provided by National Informatics Centre. CERT-In has also issued guidelines for Web Conferencing Security which can be accessed here.
The case for Zoom has only worsened over the past few days when it was reported that over 500,000 account credentials were posted for sale on the dark web. Obtained via ‘credential stuffing’ i.e. collecting previous breaches and checking if the same credentials were being used for Zoom too. You can check if your email address was leaked or breached at AmIBreached and/or at Have I Been Pwned.
In view of the security hazards that the third party video-conferencing applications pose to the national security of India, the MeitY has announced an Innovation Challenge for Development of Video Conferencing Solution encouraging individuals and startups to submit their model of a VC app.
Today as an individual’s data can be processed to give invaluable insights into one’s life, it is pertinent that everyone takes adequate measures to guard themselves against unwanted intrusion by maintaining cyber hygiene and using certified software and programs.