Case Analysis: Zoom Case Study (Harsh Chugh v. Union of India & Zoom Video Inc.) – By Neha Gyamlani, Aditya Jain and Urmil Shah

Introduction:

Zoom is a web-based video conferencing tool with a local, desktop client and a mobile app that allows users to meet online, with or without video. Zoom users can choose to record sessions, collaborate on projects, and share or annotate on one another’s screens. It allows one-to-one chat sessions that can grow into group calls, training sessions and webinars for internal and external audiences. It offers different subscription plans with the constant 40-minute free meeting and longer meeting with additional features that can be availed by prescribed payment. The app can be downloaded or operated through computer or phone and one can join any meeting with a supplied meeting ID. One can also choose to disable audio or video before joining. 

Position in UK: Zoom Inc. in UK has been accused of sharing personal data with third-party advertisers, use video content from Zoom sessions for targeted advertising campaigns and to develop facial recognition, record and share calls with anyone they want without taking proper consent from users and thus violates obligations under GDPR and consequently the Data Protection Act, 2018 (formed in pursuance of GDPR). [1]  

Position in US: A class action lawsuit is filed in US against Zoom as it notifies Facebook when any Zoom user opens the app and provides details about the user’s device, the time zone and city from which the user connects, the user’s service provider, and the user’s unique advertising identifier (built into users’ devices). The information is allegedly transmitted to Facebook regardless of whether the user has a Facebook account and has violated California Consumer Privacy Act. Section 1798 of CCPA specifically prevent Zoom from sharing class members’ non-encrypted and non-redacted personal information as unauthorized disclosure and failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect their personal information.[2]

Facts:

The petitioner, a part time private tutor, feeling concerned about data privacy and security risk posed by Zoom, filed a PIL before the SC u/a. 32 of Indian Constitution for violation of right to privacy enshrined u/a. 21 of Indian Constitution to ban the Zoom App on central level until adequate law is prescribed for their functioning. The SC has admitted the PIL and sought responses from Centre and Zoom Inc. over the allegations involved.  

Issues:

(i) Whether Zoom App violates the right to privacy of users as enshrined u/a. 21 of Indian Constitution?

(ii) Whether the Zoom App should be banned until an appropriate data protection framework is in place?

Rule:

Article 14 and 21 of Indian Constitution. 

Arguments by Petitioner:

Certain allegations put forward by the Petitioner against the Zoom Inc. includes:

(i) Breach of Data Privacy: Zoom App practices data hoarding and cyber hoarding which includes mass storage of personal data of its users and stores cloud recordings, instant messages, files, whiteboards, etc. 

(ii) Data Theft & Hacking: There are also instances of Zoom bombing whereby unauthorized person or stranger joins a Zoom meeting/chat session and causes disorder to the existing meeting. There are many instances to suggest data theft that can take place due to improper monitoring of entering and exiting of participants. 

(iii) Breach of Data Security: Zoom is reported to have a bug that can be abused intentionally to leak information of users to third parties. It is reported to have sold user data to Facebook Inc. without user consent, even when the users haven’t logged into their FB account. Further, on 12.04.2020 the Cyber Coordination Committee issued a public advisory as to how the app is unsafe and laid out certain steps to take care of while using the said app. It has failed to ensure reasonable security practices and procedures as enshrined under IT Act and IT SPDI Rules, 2011. 

(iv) No E2EEE: The app has falsely claiming calls are End-to-End Encryption (E2EE) for video calls and merely uses transport encryption, which is not end-to-end encrypted. 

Zoom Inc. CEO has already apologized publically and has accepted the app to be faulty in terms of providing a secure environment digitally which is against the norms of cyber security. 

Analysis:

Since Zoom is not a one-to-one video calling application but a unified communication and collaboration platform, end-to-end encryption forms the heart of the application to secure collected data and maintain privacy. The concept of end-to-end encryption serves a foundation in maintaining trust in terms of data privacy and is intended to prevent data being read or secretly modified, other than by the true sender and recipient(s). The messages are encrypted by the sender but the third party does not have a means to decrypt them, and stores them encrypted. Although the latest updates on the App shows that it has incorporated an enhanced encryption facility; however, the same is not end-to-end encrypted. Since it is not end-to-end encrypted there remains a possibility of hacking in the processing chain. 

Zoom has time and again manipulated the consumers with false and misleading statements and has been highlighted in the PIL by Harsh Chugh. Although, the petition doesn’t talk about any credible sources and merely quotes newspaper articles that deal with the alleged bug which shares personal information of users with Facebook; however, for the purposes of case study, if assumed that such a bug is intentionally utilized to sell consumer data to FB can result in heavy commercial gains and loss of privacy to consumers. FB can through that data create targeted ads or other updates which works to its benefits. The bigger concern is not selling of the data but without the permission of the user, which may at times result in the detriment to the consumer interest. 

Such digital hoarding of data can result in excessive breach of privacy as most of these data is not deleted even when it is not required and increases the possibilities of breach of such data either at the helm of the data controller or any third-party. IT SPDI Rules, 2011 at present do not recognize a situation whereby data must be disposed of when not required and therefore the PDP Bill, 2019 pipeline is the appropriate legislation in this respect and therefore this excessive retention of data must be deleted when not required. 

Cisco Talos recently confirmed critical issues with the Zoom version 4.6.12 that poses a threat to data security regarding chatbox and sending of GIFs [3]. To illustrate, if a user send the GIF through the chatbox to another user in the meeting then it pings Giphy’s servers (popular GIF search engine) and the hacker/attacker can receive the platform to ping on a different, unauthorized server which can later be used to leak sensitive information. Such issues with Zoom goes on to show that updating an application on constant basis is so essential. 

Although, Zoom has incorporated various measures to curb the practice of Zoombombing including by enabling “waiting room” or “password protection” so that the meeting host as some control over the participants entering the meeting; however there still exists lacunae as to the freedom of passwords wherein people may use lax passwords like 1234 which can be easily cracked by professional hackers resulting in threat to privacy of the documents or data shared during the meeting. Further, the usage of “name changing” feature has also raised certain brows and can result in manipulating by several meeting participants. Thus it is the need of the hour that Zoom either incorporates measures which curbs this name changing practice such that “indirectly” the data of users are not compromised. 

Conclusion:

The Zoom features have to analyse from a technologically neutral standpoint and requires a technologically advanced law to understand and regulate the ramifications arising out of the use of the technology. The IT Act and SPDI Rules are largely inept to deal with such novel nuances and there is a greater need to move towards the PDP Bill, 2019. The controversy surrounding Zoom never seems to end and has more often than not found itself at crossfires with different legal and regulatory requirements of jurisdictions across the world. To illustrate, recently the App through a blogpost clarified that it is developing a technology that would allow it to block participants based on geography in light of the Beijing’s Tiananmen Square controversy [4]. In mainland China, Zoom is attempting to restrict its free videoconferencing facility of 40-minutes to enterprise customers only due to “regulatory requirements”[5] and is only under the scanner of regulatory authorities of various countries for number of violations including anti-trust law. 

****

Neha Gyamlani is a founding partner at J&G Advocates. She has extensive experience in litigations arising out of trade and commerce, contracts, employment contracts, Arbitration, Banking laws, Family laws, and also litigations arising out of Transfer of Property Act, Specific Relief Act, Negotiable Instruments Act, Consumer Protection Act, RERA, Labor Laws, Insolvency and Bankruptcy Code, Recovery proceedings under RDDBFI Act, SARFAESI Act etc. Neha appears before various tribunals and quasi-judicial authorities.

Aditya Jain is a Partner at J&G Advocates and an Advocate on Record in the Supreme Court. Aditya is also practicing at the Rajasthan High Court. Aditya graduated from Gujarat National Law University, Gandhinagar and has pursued his PG Diploma in Business Laws from NUJS Kolkata. He handles cases pertaining to Commercial Litigation, Arbitration, Real Estate, Healthcare Care, IT and Maritime Laws. 

Urmil Shah is a third year BA LL.B student at AURO University, Surat. Urmil’s area of interest lies in commercial laws and public policy and he has a keen interest in writing. Urmil has work experience in fields of public policy, regulatory laws and human rights. He is also an avid mooter and had won the accolade for Best Researcher at 5^th GNLU Moot on Securities & Investment Law, 2019. 

____

 [1] Jessica Goodfellow, Zoom’s practices violate our human right to privacy, The Campaign (2020).

[2] Hopkins & Carley, What Businesses Can Learn From the Privacy Lawsuit Filed Against Zoom, Lexlogy https://www.lexology.com/library/detailx?g=67e96652-748c-42b6-8b66-4e1ff66be09a

 [3] The critiques can be accessed from Cisco Talos website https://blog.talosintelligence.com/2020/06/vuln-spotlight-zoom-code-execution-june-2020.html

 [4]] Zoom caught in China censorship crossfire as meetings foiled, ET June 12, 2020 https://tech.economictimes.indiatimes.com/news/internet/zoom-caught-in-china-censorship-crossfire-as-meetings-foiled/76340161

 [5] Yifan Yu,  Zoom suspends free service to individuals in China, Nikkie Asian Review, May 19, 2020 https://asia.nikkei.com/Business/Technology/Zoom-suspends-free-service-to-individuals-in-China

Disclaimer: The views or opinions expressed are solely of the author.