The pandemic struck suddenly, before the world could fully comprehend its import, humanity went into a paralysis. Life across the globe came to a standstill. Governments, corporates, families and individuals had to suddenly adapt to new modes of communication, transaction and service delivery. In this mayhem, the online and digital world offered viable alternatives to commute, collaboration and decision-making. Apps and services, which were popular before Covid-19, suddenly became the only fallback option. A case in point being the popular video-conferencing application called Zoom. Such has been the surge in work from home and other collaboration needs that Zoom, which had 10 million daily users, crossed the 200 million mark in March; as of date it is claiming a daily user base of 300 million participants. Zoom is used by over 30,000 companies and over 40 million people worldwide including hundreds of thousands of educational institutions. Other such apps and alternatives also saw a huge growth, but Zoom was at the sweet spot of pricing, features, familiarity, differentiation and market presence to benefit from the Covid-19 outbreak.
With popularity came cyberattacks, hackers zoomed in on Zoom and started digging for flaws in its code, privacy advocates started examining its privacy and data use policies, others dug out its server locations, roots of the software code, permissions the app takes on your device and the safety/security of users on the platform. Pursuant to this, after rising sharply, Zoom’s share prices experienced a sharp fall in March when serious issues came to fore. To the company’s credit, it has been quick to adapt and has been responding well to criticism by making desired changes in code, configurations and policies. However, the broader question of the privacy, security and threats to individuals-businessesgovernments still needs a close examination. Recently, a former NSA researcher disclosed two new bugs that could have been used to take over a Zoom user’s Mac computer, including tapping into the webcam and microphone.
To make matters worse, these exploits apart from compromising Zoom can become a gateway for the attacker to additionally install other Malware and virtually takeover the victim’s computer or his/her identity. Security researcher Felix Steele dissected the Mac Zoom installer package. To his surprise he discovered that certain techniques that were being used by the pkg file were similar to those used by actual macOS malware samples (for example Coldroot and Proton). These malwares often pretend to be an Apple process or completely fake the password prompt. The installer also actually asks the user to blindly enter their system password into a dialog that pops up and makes use of elevated privileges to access system files. There have been instances of restricting Zoom usage by various countries for critical work and also by corporates. Examples range from Google stopping its employees downloading the app for work to Elon Musk’s rocket company SpaceX banning its employees from using it, in wake of “significant privacy and security concerns”.
Nonetheless, the security of video-conferencing and live-streaming apps needs urgent audit including a forensic audit of the possible breaches due to known and unknown vulnerabilities (even though some recently patched by Zoom). Our dependence on these technologies today is so complete that until viable alternatives emerge, we have no recourse but to keep using them. If we undertake a set of system hardening and tweaking of configuration settings, contingent risks can be mitigated to a large extent. Another way would be to use alternatives which are less popular or are self-hosted on company’s or personal servers/cloud accounts. Organisations should carefully consider the risk if they should continue working with the popular ‘free’ solutions. The general user should assert her rights in relation to these technology giants. We exhibit extreme caution and vigilance in using government apps and services, while paradoxically falling prey to corporate surveillance wilfully. The same standards (if not more stringent) of accountability as those applied to the services by administration should be made applicable to intermediaries and platforms which provide these technologies.
A free product commoditises you; even if one has accepted this position, the moral and ethical obligations of the service provider to protect the interests of the average user do not go away. The service provider must incorporate data privacy principles for the collection, use and disclosure of personal information such as: Accountability; Identifying Purposes; Informed/ Explicit Consent; Limiting Collection; Limiting Use, Disclosure and Retention; Accuracy; Safeguards; Openness; Individual Access; and, Challenging Compliance. Union Minister for IT Ravi Shankar Prasad has spurred innovators in India by challenging them to create a world-class, homegrown video-conferencing solution. India, as a rapidly digitising nation, should create a culture of innovation where the respect for individual privacy is built in by design. Brijesh Singh is Inspector General of Police, Maharashtra, and Khushbu Jain is practising Advocate in the Supreme Court.