‘Zoom’: Zooming in on the PIL to ban the application

The difficult time brought forth by COVID-19 is changing and evolving the human race in all aspects; from new social norms to becoming more digital, the world is completely different. In the fields of education and official meetings, everything has been digitalized and has become the need of the hour. Gaining the most from the current crisis is the US-based video-conferencing application – ‘Zoom’. The application recorded a 50% surge in the number of daily users, increasing the tally to 300 million within a short span of three weeks.[1]

The increase in the sudden number of users came with frequent reports of privacy infringement and loss of data from devices of users without prior permission.

This led to a lot of scrutiny faced by the application including class three action suits amongst others and the management had to face a lot of flak. The CEO of the ZoomVideo Communications Inc, Mr. Eric S Yuan made a statement apologising to the users for the reported privacy breaches and made assurances to resolve the breach as soon as possible.[2]

The Cyber Coordination Centre (CyCord), under the Ministry of Home Affairs (MHA), on 12th April, 2020, issued a public advisory that stated how the app is unsafe and laid out certain steps to keep in mind while using the said app.

Within the next four days, the CyCord issued another advisory dated 16th April 2020  in relation to the application which stated that the platform is not for use by Government officials/officers for their respective official purposes. The said advisory explicitly stated that ‘Zoom’ is not a safe platform and therefore these guidelines have been issued to protect individuals who would still use the application for private purposes.

The advisory went on to state its objective which was to avert “any unauthorized entry into a Zoom Conference Room and prevent the unauthorized participant to carry out malicious attacks on the terminals of other users in the conference.” [3]

The advisory went on to state more detailed methods to apply while using the app.

On 20th April 2020, A petition was filed in the Supreme Court under Article 32 of the Indian Constitution by Advocates Nimish Chibh and Divye Chugh on behalf of the petitioner- Mrs. Harsh Chugh. The petitioner is a Delhi based part-time tutor and a homemaker who expressed her concerns about the privacy and security risk posed by the communications application to her and the public in general.

The petition stated that the numerous incidents of breach of security reported by the media across the world has necessitated the said petition;

“That the present petition is necessitated in view of various facts and incidents reported by the media sources against breaching of cybersecurity through  Zoom App”

– an excerpt from the PIL

There have been many reports of said breaches across the globe which led to a ban on the application, one such example is a report of an investigation by Motherboard (Tech by Vice), which is a London based online magazine which revealed that ‘Zoom’s iOS app was sending user analytics data to Facebook, even for Zoom users who did not have a Facebook account, via the app’s interaction with Facebook’s Graph API’ [4] This report amongst others led to the ban by the Ministry of Defence, the United Kingdom on the use of the application for Defence personnel, citing ‘security’ concerns. The petitioner cites many such reports in support of her argument.

The petitioner pointed out that the Ministry of Electronics & Information Technology and Cyber & Information Security(C&IS) Division are aware and have recognized the risk to the privacy of users by the offending software;

“It is also pertinent to point out that the risk to the privacy of users of the offending software is also recognized by the respondent nos. 1 and 2. Hence, they are already familiar with the subject matter.  However, still the respondent nos. 1 and 2 have not taken any steps to protect the general public and have not banned the offending software.”

– an excerpt from the PIL

The petitioner goes on to state that the advisory issued by the CyCord, MHA is not enough to protect the general public and the government must come up with a technical investigation into the matter and a ban on using the software to protect personal data until there is a standard regulation put in place to safeguard the rights of the citizens. The plea points out that the app practices data hoarding and cyber hoarding, wherein the data of the user is collected without explicit permission and further used for purposes such as advertisements and selling off the data on the dark web. [5]  

“That the Zoom App practices data hoarding and cyber hoarding which includes mass storage of personal data of its users and stores cloud recordings, instant 7 messages, files, whiteboards, etc.”

– an excerpt from the PIL

Another major contention made by the Petitioner was the new concept of ‘Zoombombing’ and how it can affect the general public, keeping in mind that the application is used by

Children as young as first graders for their school classes can be majorly harmed by such acts.[6]

“Further, there have been concerns about what now is being called ‘zoombombing’ where an unauthorized person or stranger joins a Zoom meeting/chat session and causes disorder by saying offensive things and even photo bombing the meeting by sharing pornographic and/or hate images.”

–  an excerpt from the PIL

The plea also goes on to state that the application includes a specific bug that can help in intentionally leaking personal data. Although Zoom claims that it is end-to-end encrypted, but is not so, the PIL contends;

“That Zoom is reported to have a bug that can be abused intentionally to leak information of users to third parties. The app has falsely claiming calls are end-to-end encrypted when they are not” 

– an excerpt from the PIL

The plea further adds that the monitoring of Zoom would be less of a concern if it were encrypted end-to-end, as falsely claimed by the company in its marketing materials.

Zoom admitted to the ‘Intercept’, which is an online news publication house owned by First Look Media, which stated that Zoom did not have end-to-end encryption (E2EE) for video calls. Instead, it uses some encryption (known as transport encryption), which is apparently not as secure as the end-to-end encryption(E2EE). [7]

The plea contends that the app violates the right to privacy guaranteed under Article 21 of the Indian Constitution, adding further that in this case it is submitted that collection of data, storage and access without letting the end-user know is simply “infringing their fundamental right of privacy”

“The baseline of privacy in cyberspace still remains blurred but it is nothing but a fact that data protection in cyberspace is the most essential form of privacy one seeks while accessing the internet and if an app cannot even assure its consumers of such data protection and rather sends out the data, it is the safest to ban such app.”

– an excerpt from the PIL

Furthermore, the petitioner contends that the application gives rise to a violation of Section 43 (Penalty and compensation for damage to a computer, computer system) and Section 43A (Compensation for failure to protect data) of the Information Technology Act, 2000.

The petitioner states more grounds in the plea such as the following;

“Because it is as important to have a safe and secure environment virtually as it is to have one in the physical world.”

“Because cyberspace risk is increasing every day due to global connectivity and other online services which makes it easier to hack and access sensitive data of the users, be it private and confidential it is not that difficult to hack if a secure network is not used.”

– an excerpt from the PIL

On the 22nd of May 2020, the Supreme Court, led by a bench headed by CJI SA Bobde and comprising Justices AS Bopanna and Hrishikesh Roy, issued notice to the Central Government seeking a ban on the use of the app for both official and personal purposes.

“Issue notice returnable in four weeks” the bench conveyed.

In totality, the scope of the problem at hand is major, as the data collected could be both sensitive (bank details) and private in nature. Only a technical investigation into the same will provide a ground report and help in assessing the situation aptly. The Petitioner seeks an investigation and a ban on the use of the app, arguing that it has Pan India ramifications.

The Centre is expected to address the issue with a course of action by the 22nd of June 2020.

Countries/Organizations that have banned the use of the Application because of security concerns (as per the petition) :

  1. Australian Defence Force
  2. Berkeley, California (for public school use)
  3. Canada (Federal government use that requires secure communications)
  4. Clark County, Nevada (for public school use)
  5. German Ministry of Foreign Affairs
  6. Google
  7. NASA
  8. New York City (public school use)
  9. Singapore Ministry of Education
  10. Smart Communications
  11. SpaceX 
  12. Taiwan (government use)
  13. United Kingdom MoD
  14. United States Senate
  15. Honorable Bombay High Court, which was using Zoom earlier for video conferencing has stopped using the app, and a fresh notice dated 17/04/2020 has been issued making the shift to Vidyo.

Read the Petition here :

—————————————————————————————————————-

[1] Surge in Zoom users:

https://www.scmp.com/tech/apps-social/article/3081153/zoom-daily-users-surge-50-cent-300-million-despite-privacy-woes

[2] Apology by Mr. Eric S Yuan (CEO, Zoom) https://www.moneycontrol.com/news/world/zoom-ceo-eric-s-yuan-apologises-to-users-for-privacy-and-security-gaps-5102761.html

[3] MHA Issues Advisory on use of ‘Zoom’

https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1615008

[4] Zoom sends data to Facebook- Vice UK Report

https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account

[5] Sale of Zoom accounts on Dark Web

https://www.businessinsider.com/500000-zoom-accounts-sale-dark-web-2020-4

 [6] ‘Zoombombing’- New York Classroom Report

https://thenextweb.com/security/2020/04/06/nyc-classrooms-cancel-zoom-after-trolls-make-zoombombing-a-thing/

[7] Encryption of ‘Zoom’

https://theintercept.com/2020/03/31/zoom-meeting-encryption/

Nayan David from Northcap University, Gurugram

“Nayan is an ardent debater, an avid reader- who is full of curiosity and likes to discuss about anything and everything under the Sun”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: