DATA SECURITY FAILURE OF VIDEO CONFERENCING APPS IN THE TIMES

OF COVID
BY: VARUNENDRA PANDEY

Abstract- Data and computer security in recent years have become more vulnerable to the
fact that there are actually individuals out there waiting to manipulate your data and use it
against the former. The grievances regarding data threat is moreover a result of poor policy
execution and sheer avoidance of the fact that data threats and cyber-attacks actually exists.
The extensive role played by information technology in every field in the last few decades
owing to the absence of strong policy for the protection of an individual’s data has rendered
Data protection a sensitive affair. This paper focuses on the growing sensitivity upon data
protection in the times of COVID, as the pandemic narrowed down roads for most
individuals and entities to resort themselves to technological pathways. New technologies
emerged, most of them, platforms facilitating video conferencing, and with them arrived new
challenges for data security. The paper tries to bring forward the speculation and the
challenges that these platforms have posed and sheer defenestration against an individual’s
security.

Keyword – Data protection, Cyber Crime, Cyber Attacks, Information and Technology,
COVID-19

INTRODUCTION TO CYBER SECURITY

Cybersecurity in a general sense is concerned with the protection of cyberspace and the
creation of a safe virtual space, free from cyber-threats. The notion of cyber threats is rather
vague and mainly revolves around the malicious use of Information and Communication
Technology as a target or as a tool creating threats to cyberspace of the general public.
Fundamentally the notion of cybersecurity has three-fold meanings;

o Activities and measures are taken to assure that cyberspace free from any kind of cyber threat
that might affect the hardware and the software of the system and severely damaging or
leaking the data stored in such a system creating a potential threat to national security.

o The quantum of protection that these measures and activities offer.


Student of 4th year Amity Law School, Delhi
o The field associated with the implementation of these activities and measures against the
hostile environment created by the malevolent actors, ensuring the restoration of cyberthreat
free cyberspace is the significant element of cyber-security.

Cybersecurity is just not about data security and data privacy but much more than that,
although closely related to the two buzzwords.

The existence of cybersecurity is inversely proportional to the activeness of cyber threats and
cyber-attacks. The Arrival of the Internet broadened the field of Information Technology and
advanced the horizons indefinitely. In the early 90s, access to the internet know-how was
limited to a number of users, whereas today there is no life without the internet. Internet and
its extensive role in every field have moreover made an individual so much dependent upon it
that a sunny day without the internet is the epitome of Idealism.

CYBER CRIME & ITS CLASSIFICATION

Changing times have enormously changed the dynamics of cyber-crime. Back in the days
when technological adequacy was limited such crimes were motivated by the personal gains
of the person committing it, but ever since the rapid increment of technologies the
maintenance of the data and its protection has become comparatively difficult thereby
rendering cyber-crime into a more sophisticated attire formally known as Financial Crime.
The term financial crime is apt in many ways as all the data theft leads to single consideration
that is, money or bitcoins any one of them or both. Digitalization of data might have made
affairs convenient but has also rained havoc of data overflow that leads to the difficulty of
data management and data protection as most of these data are sensitive information like
bank details, credit card information, and other important data, improper handling of which
can cause loss to the individual as well as the entire nation 1. Cyber-crimes can also be
referred as computer crimes. Computer crime can be classified essentially under two
headings;

a. Tool or;
b. Target to perform an unlawful act2.

1
Shrikant Ardhapurkar, “Privacy and data protection in cyber space in Indian Environment”, 2(5) International
Journal of Engineering Science and technology 943 (2010).
2
Debashish Bharuka and Ajit Roy, Computer Crimes 229 (Indian Law Institute, New Delhi ,2004).
 The Information and technology Act 2000 categorized cyber-crimes into a few and the
horizon of the act in terms of coverage has also been increased. The distinction earmarked by
the Act are as follows;

o Cyber Defamation, cyber stalking/Embarrassment, Digital forgery, cyber pornography,

financial Crimes.
o Crimes committed on computer services such as hacking and unauthorized denial to access.
o Crimes relating to data alteration/destruction: virus/worms/Trojan horses/logic bomb, theft of
Internet hours, data diddling, salami attacks, steganography
o Crimes relating to electronic mail: spamming/bombing, spoofing.

The extension of cyber-crimes in the last decade has explored unexpected Horizon thereby
furnacing growing concern over privacy issues around the globe. Many organizations like
OECD around the globe have been working in consonance to achieve the ideal data security
protection3. Based on the deliberations of OECD UK has drafted DPA (Data Protection Act
1988)4 which include 8 principles and issues like what is personal information and sensitive
information, information about the data owner, data processor and who shall be held
responsible for the data leak. In Indian context, it is the unavailability of effective legislation
that has brought the individual’s data into the public domain and had rendered it highly
vulnerable. There is no fundamental law safeguarding the data from cyber-attacks and the
government has been using proxy laws for the same.

EFFICIENCY OF CYBER SECURITY IN INDIA

Cyberspace comprises the IT networks of the country’s computer systems and all the fixed-
mobile networks connected to the global internet. A country’s cyberspace is just not its own,
but global cyberspace, the virtual outreach of the internet is borderless and this feature makes
it unique. It is inseparable by geographical boundaries such as land, water, and sea. Lately, it
has been seen that the governments are working on providing their citizens or ‘netizens’
access to faster internet by enhancing their bandwidths and are intensively investing in ICT
(Information communication technology) projects.

Users highly appreciate the visionary advancements by the government, but the answers that
we seek from the authorities is whether the data that we provide in common parlance to
3
Information Sheet (Public Sector) 1, -Information Privacy Principles under the Privacy Act
1988.http://www.privacy.gov.au/materials/types/infosheets/view/6541
4
Patient Safety and Quality Improvement Act, 2005
banking services or for availing other e-services are those data safe enough? Or is it out in an
open field for anyone to manipulate? Answers that we all need to seek from the legislators.

An Inadequate set of legislations that are vague in nature and often fails miserably to address
issues related to cyber threats currently govern Indian cybersecurity. The authorities
constituted regulate compliance and enforce penalties for non-compliance under the
Information Technology Act 2000 and Information Technology Amendment Act 2008
which has been inactive for years till 20175. However, the jurisprudence of cyber laws in
India is unclear. In 2013 Government came up with a much-anticipated national
cybersecurity policy, the Act was visionary and had global outreach but lost its grip after the
failure on the part of the government to frame any rigorous laws ensuring enough sanction
against any cyber threat.

The government constituted a 10-member committee on the reports of cyberthreat and for
recommendations on policy drafting. The committee submitted an extensive report along with
Personal Data Protection Bill 2018. The Government introduced a Personal data protection
bill in 2019 in Lok Sabha and is currently under a joint parliamentary committee subject to
changes.

VIDEO CONFERENCING APPS – A NEW TOOL OR TARGET

It is the sudden uprising of COVID 19 that has put the entire population across the globe to a
brief halt. The workers around the globe have been compelled to work remotely, many of
them for the first time. Meetings, businesses, schools, universities international conferences
everything is been conducted on online platforms.

It would not be an exaggeration to state that what we expected the world to accept was the
paradigm shift from paper-based affairs to a completely digitalized world and it is pertinent to
mention that the world did accept it gracefully only to realize that with the upheaval of new
technologies and platforms, came a plethora of opportunities for the miscreants and malicious
operators to explore the dancing vulnerabilities at the other end. What today we see is a
completely digitalized world what we cannot see is the assurances for effective protection of
the data that an individual gave up for establishing this digital equilibrium.

5
www.dsci.in/content/cyber-security-challenges
Video Conferencing Apps Curse or Boon

It is in the last few years that usage of these platforms increased and the uprising of pandemic
just accentuated the pattern. Zoom, classroom, cisco, WebEx, etc. have been in existence for
the past few years but the current situation legitimized people’s dependency upon them.
There has been a widespread adaptation of these technologies in daily life affairs, official and
unofficial as well without giving much consideration to the security settings and the safety
protocols followed by the platform to protect the user’s data.

The Inception of technology in the educational field has been significant throughout the
years, today’s educational system works in such a way that a profile-based database of every
student is prepared. This Database is managed on software and is at disposal of software
developers. This has compelled many users to demand more accountability and ample
transparency from the developers especially in the cases where developers sell the data to the
third party for unspecified uses6.While the major concern of the educational institutions
remains the security of the student’s data, it is the businesses that have shown a greater shift
and are at the sensitive side of the story. Last year, Slack created a series of cyber threats
including the traditional methods of cyberattacks such as malware, ransomware, password
spraying, phishing, credential stuffing, and Denial of services attacks (DOS)7.

Zoom and vulnerabilities around it.

Zoom Video Communications, a California-based company that combines meetings, chats,
and collaborations8 has shown a widespread uptick in usages during this endeavor of a
pandemic. Work from home culture and the sudden upsurge of cases across the globe
contributed to it. With the considerable use of the platform, zoom has also witnessed a
number of breaching attempts9 bringing it in skeptical shadow.

6
Tom Risen, “Privacy Concerns Don't Curb Use of Classroom Apps”, US News, September 08, 2015,
https://www.usnews.com/news/articles/2015/09/08/privacy-concerns-dont-curb-use-of-classroom-apps (Last
visited December 01, 2020).
7
Catalin Cimpanu, “Slack Warns Investors of A High Risk of Cyber-Attacks Impacting Stock
Performance”, ZDNet, April 27, 2019, https://www.zdnet.com/article/slack-warns-investors-of-a-high-risk-of-
cyber-attacks-impacting-stock-performance/ (Last visited December 01, 2020).
8
David. S. Mallow, Zoom’s Full featured UME Videoconferencing platform exceeds expectations,
Telepresence Options, January 27, 2013,
http://www.telepresenceoptions.com/2013/01/zooms_full_featured_ume_videoc/ (Last visited December 01,
2020)
9
Supra note 6.
Last year ZOOM was removed from macs over a serious vulnerability issued that “allowed
any website to start zoom video conferencing call switching on the webcam”. Even if the App
10
was uninstalled the webserver remained active and re-installed the software . In recent
research published by checkpoint, a cybersecurity giant that in the recent years ZOOM has
witnessed significant numbers of malicious domain registrations. The miscreants have found
a new technique in which the app fails to stop a third person from entering the unknown calls
and create a nuisance and make illicit representations, this entire process in the technical term
is known as Zoombombing11. Boston Bureau of FBI has warned in its reports against making
the meeting link public or posting it on social media after two individuals disrupted an
ongoing school session12.

In march 2020 ZOOM was sued for illegally disclosing the user’s data to Facebook 13 to
which it later apologized and said that the disclosed data have been removed from Facebook.
The new policy introduced by ZOOM mentions that user’s user names and phone numbers 14
have been registered but is still silent upon whether the facial data or video footage is being
stored for Artificial Intelligence affairs or not. Zoom states that it has secured collaborations
end to end encryption which is the most discreet form of securing data but it is notable that
the connection between the Zoom app running on a user’s system or phone and Zoom’s
server is encrypted similar to the connection between a user’s web browser and any website
is encryption. This type of encryption is called transport encryption and these are not as
secure as an end-to-end encryption. These types of encryption are open to the hosting
platform as well and they have complete access to unencrypted videos and audio15.

LEGAL AND TECHNOLOGICAL CHALLENGES

10
Dieter Bohn, “Apple is Silently Removing Zoom’s Web Server Software from Mac s”, The Verge, July 10,
2019,https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-server-automatic-removal-silent-update-
webcam-vulnerability (Last visited November 30, 2020).
11
Taylor Lorenz, “Zoombombing: When Video Conferences go wrong”, The New York Times, March 20, 2020
https://www.nytimes.com/2020/03/20/style/zoombombing-zoom-trolling.html (last visited December 02, 2020).
12
Andrew Griffin, “Elon Musk’s SpaceX Bans Zoom video chat App over Security and Privacy
Concerns”, Independent, April 02, 2020, https://www.independent.co.uk/life-style/gadgets-and-
tech/news/spacex-zoom-elon-musk-video-chat-security-privacy-coronavirus-a9441591.html (last visited
December 02, 2020).
13
Joel Rosenblatt, “Zoom Sued for Allegedly Illegally Disclosing Personal Data”, Bloomberg, March 31, 2020
https://www.bloomberg.com/news/articles/2020-03-31/zoom-sued-for-allegedly-illegally-disclosing-personal-
data (last visited December 03, 2020).
14
Micah Lee and Yael Grauer, “Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading
Marketing”, The Intercept, March 31, 2020 https://theintercept.com/2020/03/31/zoom-meeting-encryption/ (last
visited December 01, 2020).
15
Ibid
 In the Indian context lack of efficient legislation is the primary reason behind the data threat
and cyber-attacks experienced by the individuals as well as the entities. The lacuna in the
legal framework is what has enabled the miscreants in causing rampant illegal activities such
as data theft, phishing, cyber defamation, etc.

Certain legal frameworks that provide indirect support to the privacy and data theft laws in
India are; Article 21 of the Indian constitution, Indian contract act 1872, Information and
technology Act 2000, Indian copyright Act 1957, Indian penal Code1860, Indian telegraph
Act 1885.

Following are the lacuna in the Indian legal framework concerning privacy laws,

o No comprehensive law, privacy issues are still dealt with proxy laws.
o No classification as the which information is private which one is public and what
information is sensitive.
o No legal specification as to who is the owner of the specified data.
o No comprehensive storage of the data accessed from the general public which means every
data accessed is on an open server.
o No law that talks about data proportionality and data transparency.
o There is no legal framework for the cross-country flow of data.

In this era of technological advancement, such loopholes in the law concerning privacy issues
shows sheer avoidance of legislators as these proxy laws are not sufficient and could cause
immense loss to an individual and to the nation as well.

The Globalization and Information & Technology revolution 16 in India drastically changed
the climate of Information accessibility. Heavy paperwork and a pile of files are just an idea
today everything is now inside a database. Not only the corporate sector but the government
bodies also imbibed the technological enhancement in their affairs. Even an individual
wanted to turn agile and smart. Although the ICT might have made life easier but has
rendered ample complications. Data collection through Retinal scan, Biometric, voice
protocols, smart cards, surveillance technologies, and their security in a protected database is
the prima facie concern. Data management and storage of large data files in a single space is
what we need today to secure our data that are currently flouting back at us upon open

16
Philip. E. Agre, Marc Rotenberg, Technology and Privacy: The new Landscape (MIT press, 1998)
 servers. The unauthorized passing of data to a third party for unspecified use needs to be
censored. That is how we will have to improvise our practices in the field of data protection.

SUGGESTIONS AND RECOMMENDATIONS

Data protection and security can be assured in a better way if the government inculcate
following Ideals in the policy that lies upon its table;

o Collaborations among the government and the private sector entities to boost the transparency
on the data given by the individual. The government should also discourage long terms
agreements with software companies as this will rise in the market competition thereby
raising the standards of the services.
o The government should see the entire issue of data theft and cybercrime from the perspective
of Human rights violation and shall conduct Regular impact assessment of the data
procurement17.
o Apply privacy and data protection bills effectively.
o Protect companies or a third party to re monitor the data and protect it further from
unspecified use.
o The upcoming bill shall include the fundamental segregation of sensitive data, public data,
and private data.
o The upcoming law needs to contain effective sanctions against data theft or data
manipulation.
o Data monetization needs to be curbed out of fashion.

These recommendations might not completely change the landscape of Indian laws on data
protection but ignite hopes for a better policy.

CONCLUSION

The current scenario in the Indian paradigm in relation to data protection is not that effective
as it needs to be. The country in the past few years has seen an upsurge in cybercrimes such
as phishing, cyber defamation, and other financial crimes. The attacks are not just limited to

Danish Institute for Human Rights. Driving change through public

17
procurement, 2020.
https://www.humanrights.dk/publications/driving-change-through-public-procurement.
territory and waters, cyber-attacks are now the real thing, to deal with them and effective
legislation, free from all the encumbrances is needed. The government of India plans to bring
out the bill as the country is now heavily digitalized not in just terms of payments or internet
services but the administrative affairs of every small or big entity depend upon it. The new
data protection bill should be one securing the individual’s data and should be one that
established the ideals of privacy as reality, not a myth.