Two years ago, Facebook’s Cambridge Analytica scandal came into limelight and there were numerous concerns about our privacy and security violations every other day. For the past three weeks or so, we have found Zoom floating in a similar boat. Various experts and researchers have raised concern about the use of this video conferencing app.
As coronavirus pandemic began to spread across the world, most of the countries announced lockdowns to flatten the curve and practice social distancing. With this, the workplaces turned online and apps like Zoom became very handy for meetings. The app’s user base shot up from around 8 million to 200+ million in a matter of days.
Now, Zoom claims to implement end-to-end encryption, which is a private form of Internet communication keeping the conversations safe from third parties. However, in reality, the privacy practices used by the app are creepy, to say the least. Zoom claims to offer reliability, ease in use and a very imperative security assurance- As long as a person made sure that everyone in the Zoom meeting used ‘computer audio’ instead of calling in on a phone, the meeting would be secured through end-to-end encryption. This is listed in the Zoom website as well as its Security white paper , but the reality is different. Instead, it offers what is known as ‘Transport Encryption’.
In the Zoom’s white paper, there is an exhaustive list for the ‘security capabilities pre-list’ that are present for the host that starts with ‘Enable an end-to-end (E2E) encrypted meeting’. When a host starts a meeting with the ‘Require Encryption for 3rd Party Endpoints’ setting enabled, participants see a green padlock that says, “Zoom is using an end to end encrypted connection” when they mouse over it. When a clarification was asked from the Zoom spokesperson regarding the encryption, he said that it was not possible for Zoom to provide end-to-end encryption for the video meetings.
The encryption method that is used by Zoom is known as TLS, the same technology that is used by web servers to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article (on https://www.desikannoon.com) is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So technically speaking, all that audio and video content during Zoom meetings can be accessed by the company. The company issued a statement where it said that when they use the word ‘End-to-end’, they mean Zoom endpoint to Zoom endpoint. They have clearly misunderstood the whole term and refer to the Zoom “servers” as endpoints, even though they sit between the Zoom clients.
Without an end-to-end encryption, your personal data is vulnerable. Zoom can easily spy on your private video meetings and could be compelled to submit the recordings to the government and law enforcement agencies. One interesting thing to note here is that companies like Google, Facebook and Microsoft publish transparency reports describing the number of government requests for user data and the whole compliance procedure by their company. Zoom does not publish a transparency report.
Zoom has also been accused of using a tracking-based advertising biz- adtech. Researchers has said that Zoom is also in the advertising business and lives off harvested personal data. What makes this extra dangerous is that Zoom is in a position to gather plenty of personal data, some of it very intimate (for example with a shrink talking to a patient) without anyone in the conversation knowing about it. (Unless, of course, they see an ad somewhere that looks like it was informed by a private conversation on Zoom.)
The person whose personal data is been shared does not even get to know about it because Zoom does not tell them. There is no red light, like the one you see when a session is being recorded. If you were in a browser instead of an app, an extension such as Privacy Badger could tell you there are trackers sniffing your data. In addition, if your browser is one that cares about privacy, such as Brave, Firefox or Safari, there is a good chance it would be blocking trackers as well. However, in the Zoom app, you cannot tell if or how your personal data is being harvested.It is basic knowledge that nobody goes to Zoom for an ‘advertising experience’, personalized or not. Moreover, nobody wants advertisements aimed at their eyeballs elsewhere on the Net by third parties using personal information leaked out through Zoom.
Last week, researchers from cybersecurity firm Cyble found credentials of more than 5,00,000 Zoom accounts that were being sold on the dark web and other hacker forums for less than a cent each, or in most cases, given away for free. Cyble in an official statement told that it noticed a peak in Zoom accounts for sale on April 1 and was able to purchase 5,30,000 for US $0.002 each. The purchase included everything from email addresses, passwords, personal meeting URLs, and host keys- the six-digit PIN to start the Zoom meetings. The hackers used the method known as “Credential Stuffing”, where they rely on email addresses and password combinations gained from previous hacks and then test them against Zoom login credentials. More than 5,00,000 accounts were hacked through this method, which tells us about the poor practices of using the same old passwords and credentials repeatedly. Among the accounts, there were individuals with high-profile companies such as Citibank, Goldman Sachs and Chase.
Experts did not take much time in India to find out the privacy loopholes in Zoom app. The Cyber Coordination Centre (CyCord) of India’s Ministry of Home Affairs issued a 16-page advisory addressing concerns about the app and guidelines on how it can be safely used.An official statement was made by the Ministry to the government organizations to limit the use of the app for official purposes.
In view of this, Supreme Court advocates have written a letter to the Chief Justice SA Bobde concerning the violation of ‘Right to Privacy’ by the Zoom app. The petition emphasized on the K.S. Puttaswamy v. Union of India ruling and pressed on the fact that fundamental ‘Right to Privacy’ is sacrosanct under the rights guaranteed by Article 21 of the Constitution. Therefore, the petitioners pleaded for Suo Moto cognizance of this issue in order to stop the further violation of privacy among individuals. Advocate Sanpreet Singh Ajmani and Advocate Aneesh Sharma drafted the letter petition.
Providing training and necessary support for the workforce is no longer optional, it is mandatory. All the vulnerable organizations need to consider developing a cybersecurity awareness kit- ensuring staff are kept up to date with the most commonly emerging threats, and how to spot and circumvent them. The immense growth in the criminal activity online in this outbreak has urged companies to reassess their cybersecurity systems and to ensure that the employees are following best practices to minimize cybersecurity risks.
By-
Yug Sinha