Technology and Privacy: The Covid-19 Crisis
By: Aditya Shukla & Aviral Agrawal* |
Human rights are the most fundamental feature of any individual’s life. They constitute a set of rights inherent to all human beings irrespective of one’s nationality, place of residence, sex etc. They are inalienable and thus ensure that everyone lives their lives with dignity and without the fear of the rights being taken away.[i] It is in times of distress that the mettle of these rights is tested.
The COVID-19 pandemic has hit the world hard and left nations reeling under its wake. It has brought the world to a standstill with the kind of nation-wide lockdowns that countries around the world are enforcing. The attempt is to minimise human contact to prevent further spread of the virus. But, what the pandemic could not change was the fact that man is a social animal and for him, social interaction is a way of life.
For people stranded in different states, video conferencing apps like Zoom, Hangouts etc have provided a means to communicate with their near and dear ones. The use of technology is not restricted to merely communication but has been used by the government to monitor the spread of the coronavirus through the Aarogya Setu app. While the initiative by the government is commendable, it has its own shortcomings with respect to the current changing times.
This piece will aim to analyse the privacy concerns that have arisen in the recent past with these apps and will attempt to comment on the shortcomings of the government in the area of internet privacy.
The privacy concerns with respect to apps like Zoom have persisted for a long time. While a host of features like data encryption, biometric protection and others have been devised to contain such breach of privacy, the issue has not been resolved in toto. From sharing of data to third parties to unauthorised access to user data, the user of these apps is perpetually vulnerable to cyber theft, cyberbullying etc.
On 26th March, the first concern was raised against the breach of privacy by the Zoom App.[ii] It was contended that the iOS version of the app was sharing analytical data of its users with Facebook. In response, Zoom removed Facebook data collection feature and apologized to the users. The company stated that only the core details of the device in use were shared and not the personal details of the user. The biggest threat to privacy was “Zoombombing.”[iii] Also known as Call-hacking, this means unauthorized participants joining a zoom meeting.[iv] Calls that are not set to private or password-protected can be accessed by anyone who inputs the nine- to eleven digit meeting code, and researchers have shown how valid meeting codes could easily be identified.[v] People are guessing or finding Zoom meeting ID numbers online and entering uninvited to leave disruptive comments or share disruptive media using Zoom’s screen-share feature. The parent company of Zoom, Zoom Video Communications, however, assigned passwords to every meeting room to protect from such unauthorised access. Issues like Zoombombing are not a result of hacking and subterfuge; they are a result of sloppiness enabled by app and its users through poor software design.[vi]
In March, an independent hacking agency Intercept claimed that the data of the app is sent back to the company without encryption, which was assured by the company.[vii] A Zoom spokesperson responded to this, describing the logistical inability to perform end to end encryption. On the same day, two more bugs were discovered by a former National Service Authority hacker, one of which could allow malicious actors to assume control of a Zoom user's microphone or webcam. Another of the vulnerabilities allowed Zoom to gain root access on MacOS desktops, a risky level of access at best.[viii]
In the chain of events, The New York Times reported that a data-mining feature on Zoom allowed some participants to surreptitiously have access to LinkedIn profile data about other users.[ix] Similarly, an investigation by The Washington Post found thousands of recordings of Zoom video calls left unprotected and viewable on the open web.[x] A large number of the unprotected calls included discussions on personal information, such as private therapy sessions, telehealth training calls, small-business meetings that discussed private company financial statements, and elementary school classes with student information exposed, the newspaper found.
Hundreds of similar problems were faced by users across the globe in using the app. Many lawsuits were filed against the Zoom app and its CEO. Majority of countries either banned the usage of Zoom or issued advisories related to the threat to privacy by Zoom. The Cyber Coordination Centre (CyCord) under the Ministry of Home Affairs (MHA) has released an 8-point detailed advisory on the use of the Zoom video-calling app.[xi] The advisory clarified that the Zoom platform should not be used by government officials for official purposes as it is not safe. The CyCord advisory by MHA has issued guidelines for safe usage of Zoom by private individuals for unofficial purposes only. The guideline claimed explicitly the risk of access to sensitive information by cybercriminals.[xii] Additionally, it was highlighted that the app doesn’t offer end to end encryption. The advisory claimed that some users have lost their personal data like emails and photos while using Zoom.
Other than the guidelines of MHA, Google reportedly banned its employees from using zoom. SpaceX chief, Elon Musk, also warned employees from using the app citing privacy and security concerns.[xiii] Various Class Action Lawsuits have also been filed across the United States against Zoom for breaching privacy for its users. The Senate of the United State also advised senators to avoid using Zoom for security concerns. The Government of Taiwan also banned the use of zoom for all governmental purposes.[xiv] Similar caveats were issued by the governments of Germany and Singapore.
AAROGYA SETU APP
The Indian Prime Minister, Narendra Modi, urged the citizens to download the app during his speech on Apr.14, 2020. While it was initially a voluntary step, the MHA order made it mandatory. The violation of the same attracts criminal punishment under Section 188, Indian Penal Code.[xv] This contact tracing app was created on the lines of successful Singaporean and Chinese tracing apps.
The pertinent observation in these matters is the urgency to balance the right to privacy and the right to health. While health experts across the globe have voiced in favour of these contact tracing apps, the same might endanger the right to privacy.
The Indian Apex court in the case of K.S. Puttuswamy v. Union of India,[xvi] laid down a five-prong test to validate a valid breach of privacy by any legislation or order. First, it must have a legitimate basis. Second, it must pursue a legitimate aim. Third, it should have rational nexus to the aim. Fourth, there must not be any less restrictive ways to achieve this aim. Fifth, it must outweigh the harm caused to the right owner.
The Aarogya Setu App fails the first and foremost test of proportionality as there exists no legislative framework for governing it’s functioning and there is a lack of procedural safeguards also.[xvii] The absence of such safeguards might result in misuse of the data collected during the pandemic once it’s over. Additionally, there lies an apparent threat of mass surveillance. The order to mandatorily download the app violates the data protection standards also.
The order eradicates the concept of consent as it has been made mandatory and failure to do so is attracting criminal liability. The app also exempts the government from any misidentification of individual’s corona status. A person wrongly identified as positive will be subjected to harsh quarantine guidelines without any reason. The said person will not have any legal recourse in these matters. Additionally, the policy of the app doesn’t define the departments of the government which can access the data of individual through this app. The same might result in the exchange of data to unauthorized third parties.
After analysing the shortcomings of the two apps from the aspect of user privacy, one thing comes to light that is the failure of the Indian government in protecting its citizens from the prospective privacy breaches that these apps may cause. Our government has failed us in terms of protecting our data.
The government was made aware of the security flaws in the Aarogya Setu app by the French hacker, Robert Baptiste and, although, those concerns were rectified, the Aarogya Setu app denied of their existence. But, on 14th May 2020, an ethical hacker from Bangalore managed to break into the app without much difficulty.[xviii]
Highlighting the serious defects in the app as well as the manner in which the government is dealing with them as, even after the alleged rectification, ethical hackers are having no difficulty in penetrating the app. These ethical hackers have nothing to gain by hacking the Aarogya Setu app but changes must be made lest someone with malicious intent hacks the app. A similar stance can be seen with the way in which the government has tackled the privacy concerns related with the Zoom app. The MHA released an 8-page advisory with respect to the Zoom app which prevented official work from being done via the app but, what about the common people who are using the app daily for education, business etc. The government didn’t think of them. The government has still not banned its use in India, and people are using it, most of them unaware of the privacy concerns.
Another major problem with India, when it comes to a framework for data privacy is that there is no legislation protecting individual data. The Personal Data Protection Bill, 2019 was introduced before the Lok Sabha and contains very innovative components that would protect individual data and through that mode, uphold individual privacy. But, no matter the good intentions of the bill, it has not been made into an act yet. This inaction by the government speaks a lot about its concern for the privacy of its citizens.
The need of the hour is to have a framework set up to protect individuals’ privacy and their data. This is a humongous task, keeping in mind the current pandemic and its effects that will last for a long time. But, privacy in the modern world is something that cannot be negotiated and steps must be taken in that direction. The first step must be to enact the Personal Data Protection Act and putting an end to all the apps that carry with themselves risk of violating user privacy.
Summing up, with the increase in technological advancements, the information had gradually left the individual and shifted online. This shift has resulted in increased instances of private data of individuals being targeted for multiple reasons and thus, its security is undermined.
In context, the multiple video sharing and monitoring applications also keep a huge amount of user data through the means of the many permissions that they seek before functioning. This leads to increased privacy risks for users. What needs to be done is to make the owners of such applications accountable for ensuring proper security of user data to prevent data leaks like the one Facebook faced in 2008. The government must be questioned about mandating the use of an application that poses a risk to the security to its citizens and their data.
In this age of technology, individual privacy is a growing concern that has to be dealt with in a manner that enhances the faith of the users in technology. As has been talked of earlier, the right to privacy is a basic human right and must be protected. The digital age has brought with it the tools for such an act and, we must utilise our knowledge in making use of them to protect individuals’ data and uphold their privacy.
* The authors are students at the NALSAR University of Law, Hyderabad.
[i] What are Human Rights, United Nations Human Rights Office of the High Commissioner, (May 10, 2020, 4:00 AM), https://www.ohchr.org/en/issues/pages/whatarehumanrights.aspx. [ii] Tom Warren, Zoom faces a privacy and security backlash as it surges in popularity, The Verge, (May 9, 2020, 11:09 AM), https://www.theverge.com/2020/4/1/21202584/zoom-security-privacy-issues-video-conferencing-software-coronavirus-demand-response. [iii] Zoom is malware’: why experts worry about the video conferencing platform, theguardian.com, (March 9, 2020, 10:00 AM), https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing. [iv] Brian Feldman, Is It Safe To Use Zoom, Intelligencer, (MAY 11, 2020 3:29 PM), https://nymag.com/intelligencer/2020/04/the-zoom-app-has-a-lot-of-security-problems.html [v] Id. [vi] Rae Hodge, Zoom security issues: Zoom buys security company, aims for end-to-end encryption, CNET, (MAY 11, 2020 7:15 PM), https://www.cnet.com/news/zoom-security-issues-zoom-buys-security-company-aims-for-end-to-end-encryption/. [vii] Supra note iii. [viii] Id. [ix] Chatting via Zoom: A Blessing or a Blight?, The New York Times, (March 9, 2020, 11:38 AM), https://www.nytimes.com/2020/05/10/opinion/letters/coronavirus-zoom-video-conference.html. [x] Thousands of Zoom video calls left exposed on open Web, The Washington Post, (March, 10, 2020, 9:01 PM), https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/. [xi] Advisory on Secure use of Zoom meeting platform by private individuals (not for use by government offices/officials for official purpose), Cyber Coordination Centre, Ministry of Home Affairs, April 12, 2020. [xii] Debashis Sarkar, Government issues warning: 8 reasons that make Zoom video-calling app unsafe, Gadgets Now, (MAY 13, 2020, 5:03 PM), https://www.gadgetsnow.com/slideshows/government-issues-warning-8-reasons-that-make-zoom-video-calling-app-unsafe/photolist/75188727.cms. [xiii] Musk's SpaceX bans Zoom over privacy and security concerns, ITnews, (March, 11, 2020 5:23 PM), https://www.itnews.com.au/news/musks-spacex-bans-zoom-over-privacy-and-security-concerns-545960#:~:text=Elon%20Musk's%20rocket%20company%20SpaceX,security%20of%20the%20popular%20app.. [xiv] Zoom banned by Taiwan's government over China security fears, BBC News, (March 11, 2020 5:45 PM), https://www.bbc.com/news/technology52200507#:~:text=Zoom%20has%20been%20banned%20from,hugely%20popular%20video%2Dcalling%20app.&text=Taiwan's%20government%20said%20public%20bodies,Microsoft%20were%20acceptable%2C%20it%20said. [xv] Indian Penal Code, 1860, Act no. 45 of 1860, sec. 188. [xvi] K.S. Puttuswamy v. Union of India, (2017) 10 S.C.C. 1 (India). [xvii] Ashi Mehta, “Does India’s covid-19 contact tracing app violate digital rights?” (OxHRH Blog, May 2020), http://ohrh.law.ox.ac.uk/does-indias-covid-19-contact-tracing-app-violate-digital-rights/. [xviii] Zarafshan Shiraz, After French Hacker, Bengaluru Techie Hacks ‘Un-Hackable’ COVID-19 Tracking App Aarogya Setu in Less Than 4 hours (MAY 15, 2020, 10:04 PM), https://www.india.com/viral/after-french-hacker-bengaluru-techie-hacks-un-hackable-covid-19-tracking-app-aarogya-setu-in-less-than-4-hours-4028907/.