Privacy and security of video-conferencing apps

India must create a culture of innovation where there’s respect for individual privacy


The pandemic struck suddenly, before the world could fully comprehend its import, humanity went into a paralysis. Life across the globe came to a standstill. Governments, corporates, families and individuals had to suddenly adapt to new modes of communication, transaction and service delivery. In this mayhem, the online and digital world offered viable alternatives to commute, collaboration and decision-making. Apps and services, which were popular before Covid-19, suddenly became the only fallback option. A case in point being the popular video-conferencing application called Zoom. Such has been the surge in work from home and other collaboration needs that Zoom, which had 10 million daily users, crossed the 200 million mark in March; as of date it is claiming a daily user base of 300 million participants. Zoom is used by over 30,000 companies and over 40 million people worldwide including hundreds of thousands of educational institutions. Other such apps and alternatives also saw a huge growth, but Zoom was at the sweet spot of pricing, features, familiarity, differentiation and market presence to benefit from the Covid-19 outbreak.

With popularity came cyberattacks, hackers zoomed in on Zoom and started digging for flaws in its code, privacy advocates started examining its privacy and data use policies, others dug out its server locations, roots of the software code, permissions the app takes on your device and the safety/security of users on the platform. Pursuant to this, after rising sharply, Zoom’s share prices experienced a sharp fall in March when serious issues came to fore. To the company’s credit, it has been quick to adapt and has been responding well to criticism by making desired changes in code, configurations and policies. However, the broader question of the privacy, security and threats to individuals-businessesgovernments still needs a close examination. Recently, a former NSA researcher disclosed two new bugs that could have been used to take over a Zoom user’s Mac computer, including tapping into the webcam and microphone.

To make matters worse, these exploits apart from compromising Zoom can become a gateway for the attacker to additionally install other Malware and virtually takeover the victim’s computer or his/her identity. Security researcher Felix Steele dissected the Mac Zoom installer package. To his surprise he discovered that certain techniques that were being used by the pkg file were similar to those used by actual macOS malware samples (for example Coldroot and Proton). These malwares often pretend to be an Apple process or completely fake the password prompt. The installer also actually asks the user to blindly enter their system password into a dialog that pops up and makes use of elevated privileges to access system files. There have been instances of restricting Zoom usage by various countries for critical work and also by corporates. Examples range from Google stopping its employees downloading the app for work to Elon Musk’s rocket company SpaceX banning its employees from using it, in wake of “significant privacy and security concerns”.

Zoom also does not use end2end encryption which has become the standard for all communication apps and messengers. It was also found by Citizen Lab researchers that Zoom was using weak encryption keys, only 128-bit against a claim of the stronger 256-bit AES keys, as the company was proclaiming. The company has access to all encryption keys and to all video and audio content traversing its cloud, it’s possible that governments around the world could be compelling the company to hand over copies of this data, some of its servers are also hosted in China. It is also noteworthy that the video-conferencing software appears to be developed by three companies located in China, known as Ruanshi Software. Only two of these are owned by Zoom, ownership of the third company, American Cloud Video Software Technology, remains unknown. On a closer examination, the usage terms and privacy policy of Zoom mandates transfer of data outside India and it is also subject to commercial exploitation.

Though Zoom updated its privacy policy which is better than it was, it still collects a huge amount of data about users. Consent is only valid where it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use and/or disclosure of the personal information to which they are consenting whereas Zoom policy falls short on this aspect. It should be noted that it considers its home pages “marketing websites”, which means it’s still using thirdparty trackers and surveillance-based advertising. The policy of commercial exploitation and transfer of data outside India can have impact and invite punishment if used by the government officials/departments (due to such inevitable transfer of government data outside its jurisdiction) since the same may be in a violation of the Public Records Act, 1993, the Official Secrets Act, 1923, The Email Policy as well as Policy for Usage of IT Resources of Government of India. It should be noted that the ministries and departments may host their servers with third parties, but are not permitted third-party hosting in servers outside India (as per the guidelines issued by the Ministry of Home Affairs and CERT-IN). In wake of the above security concerns, the Ministry of Home Affairs issued an advisory stating that ‘Zoom’ app is not a safe platform for video-conferencing and none of the critical meetings to be conducted using Zoom platform.

Nonetheless, the security of video-conferencing and live-streaming apps needs urgent audit including a forensic audit of the possible breaches due to known and unknown vulnerabilities (even though some recently patched by Zoom). Our dependence on these technologies today is so complete that until viable alternatives emerge, we have no recourse but to keep using them. If we undertake a set of system hardening and tweaking of configuration settings, contingent risks can be mitigated to a large extent. Another way would be to use alternatives which are less popular or are self-hosted on company’s or personal servers/cloud accounts. Organisations should carefully consider the risk if they should continue working with the popular ‘free’ solutions. The general user should assert her rights in relation to these technology giants. We exhibit extreme caution and vigilance in using government apps and services, while paradoxically falling prey to corporate surveillance wilfully. The same standards (if not more stringent) of accountability as those applied to the services by administration should be made applicable to intermediaries and platforms which provide these technologies.

A free product commoditises you; even if one has accepted this position, the moral and ethical obligations of the service provider to protect the interests of the average user do not go away. The service provider must incorporate data privacy principles for the collection, use and disclosure of personal information such as: Accountability; Identifying Purposes; Informed/ Explicit Consent; Limiting Collection; Limiting Use, Disclosure and Retention; Accuracy; Safeguards; Openness; Individual Access; and, Challenging Compliance. Union Minister for IT Ravi Shankar Prasad has spurred innovators in India by challenging them to create a world-class, homegrown video-conferencing solution. India, as a rapidly digitising nation, should create a culture of innovation where the respect for individual privacy is built in by design. Brijesh Singh is Inspector General of Police, Maharashtra, and Khushbu Jain is practising Advocate in the Supreme Court.