Libertatem Magazine

Violation of Privacy by Zoom Video Conferencing App

Contents of this Page

Zoom, a video conferencing platform, has emerged lately as the public has moved towards video conferencing to be able to communicate and hold meetings amid the coronavirus Lockdown. The Lockdown helped Zoom skyrocket its user base. I became one of the most downloaded App on the iOS App Store and the Google Play Store as individuals use the app for yoga classes, school exercises, and virtual get-togethers. Even the Government of the United Kingdom has endorsed the Zoom App by holding daily cabinet meetings via the app.

There are numerous reasons why Zoom has accomplished the distinct clique status that it has in this difficult time. At its heart, however, there’s just one cause behind why that is the case.

“It just works,” says Sameer Raj in an interview to the Financial Express. Sameer Raj is the India Head for Zoom. He continues,

“In a country like India, our product must function well despite packet loss (at times to the tune of up to 40%) and standard fluctuating bandwidth issues to deliver a high-quality video interaction. It does just that. That’s why there’s been a growing uptake in our service.”

Zoom is a privacy nightmare. To such an extent that administrations around the globe are presently sitting up and paying heed. The Ministry of Home Affairs has put out an itemized warning for Zoom clients in India, to safeguard their virtual gatherings from prying eyes, mentioning the video conferencing app as “unsafe.” While the MHA hasn’t altogether restricted it for use by people ideally for private use in India, things aren’t exactly looking bright for Zoom and its future possibilities in the nation.

This advisory by the Ministry of Home Affairs was following an advisory put online by CERT-IN stating the various privacy loopholes present within the services provided by Zoom. The Advisory posted online is marked with a severity rating of ‘high’.

Legal Viewpoint

International Action

Zoom Video Communications Inc. was sued by a client who asserts that the mainstream video-conferencing app is illicitly disclosing individual data.

Zoom Video Communications Inc. gathers personal data of users when they download Zoom application and offer this data to outsiders including Facebook Inc. without appropriate notification to the users of the app.

Patrick Wardle, a previous NSA programmer and now Head Security Scientist at Jamf dropped the two undisclosed bugs on his blog.

Wardle’s first bug piggybacks off a past finding. Zoom utilizes an “obscure” procedure, one that is additionally utilized by Mac malware, to automatically install the Mac application even when the client is not connected, i.e., without user permission. Wardle found that a nearby aggressor with low-level client benefits can infuse the Zoom Installer with malicious code to get the most elevated level of client benefits, known as “root.”

The subsequent bug abuses a defect in how Zoom handles the webcam and microphone on a Mac. Zoom, similar to any application that needs the webcam and microphone, first requires consent from the user. In any case, Wardle said, an aggressor can infuse malicious code into Zoom to fool it into giving the potential hacker similar access to the webcam and microphone that Zoom application has.

Indian Jurisprudence

Article 21 of the Constitution of India provides that “No person shall be deprived of his life or personal liberty except according to the procedure established by law”. However, the Constitution of India does not specifically recognize ‘right to privacy’ as a fundamental right.

Nonetheless, the equivalent has been put forward by the Hon’ble Supreme Court on account of K. S. Puttaswamy (Retd.) v Union of India, in which case the ‘Aadhaar Card Scheme’ was tested on the ground that gathering and accumulating the demographic and biometric information of the citizens of the nation to be utilized for different purposes is in the breach of the fundamental right to privacy epitomized in Article 21 of the Constitution of India.

The Hon’ble Supreme Court dismissed the contentions of the Union of India which contended that the drafters of the Constitution had not perceived the Right to Privacy under Fundamental Rights and keeping in mind that investigating the idea of the right of privacy, as respect to its inception, the Hon’ble Supreme Court held that the right to privacy is intrinsic to and inseparable from a human element and is the core of human dignity.

However, some stones remain unturned such as the ambiguity surrounding the issue whether the Right to Privacy can be advocated against a non-state actor, as being dealt in the ‘WhatsApp Privacy Case’.

Furthermore, Rule 5 of the Information Technology Rules advocates that no body corporate or any person on its behalf shall – while collecting the information, the person sharing the information is required to be made aware of (i) the fact that the information is being collected; (ii) the purpose for which the information is being collected; (iii) the intended recipients of the information; (iv) the name and address of

  • the agency that is collecting the information; and
  • the agency that will retain the information.

The body corporate accepting the data can disclose sensitive individual information to any outsider, provided consent from the supplier of such data has been taken, or such revelation has been consented to in the agreement between the beneficiary and the supplier of data, or where governments have requested for them.

However, Zoom has shown a blatant disregard for the statutes in place as personal data of its clients were being sent to Facebook Inc. without prior knowledge, even when one signed in without using a Facebook account.

Moreover, there is the issue of misrepresentation on part of Zoom. A meeting on the Zoom application shows that the same is encrypted with end-to-end encryption. But despite this deceptive marketing, the service does not support end-to-end encryption, at least as the term is normally assumed.

The encryption that Zoom uses to protect conferences is TLS, a similar innovation that web servers use to make sure about HTTPS sites. This is known as transport encryption, which is not quite the same as end-to-end encryption because the Zoom administration itself can get to the decoded video and sound substance of Zoom conferences. Without end-to-end encryption, Zoom has the specialized capacity to keep an eye on private video gatherings and could be constrained to hand over accounts of gatherings to governments or legal bodies because of judicial decisions.

Such an unlawful activity by Zoom can be brought under the scrutiny of Section 18 of the Indian Contracts Act, 1860 – which deals with misrepresentation.

In this era where data is crowned as the new oil, it is paramount that every citizen is made aware of the right to privacy. The same takes extraordinary importance during this Coronavirus Pandemic as most of our interactions are pushed onto the virtual realm – where we all cast our digital shadows.

A simple way to stay aware of one’s rights of data protection is to follow up on the issues raised by various NGOs that are mushrooming across the nation to voice their ideas of data protection – especially about the Pegasus spyware.

The Indian government should also be more proactive in protecting the data of its citizens. We, as a nation, are yet to receive a form of GDPR – as the Data Protection Bill 2019 hasn’t been enacted.

Author’s Suggestions

The present author additionally contends that India ought to adopt a ‘rights-based’ data protection model instead of the present ‘consent-based’ model. Under the consent-based model, the information controller is allowed to utilize, process and offer the information with any 3rd parties, provided the assent of the client is acquired. In any case, very few people know about the genuine outcomes of the rash information sharing at the hour of giving assent – this argument when we take into consideration that there is a significant percentage of Zoom’s user base consisting of students that utilise the platform to undertake online classes. However, the ‘rights-based’ model permits the clients to have more prominent rights over his/her information while requiring the information controller to guarantee than such rights of the clients are not breached. This prompts more prominent self-sufficiency of the clients over their information. is now on Telegram. Follow us for regular legal updates and judgements from the court. Follow us on Google News, InstagramLinkedInFacebook & Twitter. You can also subscribe for our Weekly Email Updates. You can also contribute stories like this and help us spread awareness for a better society. Submit Your Post Now.

About the Author