Zoom, the ubiquitous multi-party video conferencing solution that has enabled Work From Home for millions around the world, is suddenly under intense scrutiny due to recent security and privacy breaches. It is for the first time that the Indian government through the Ministry of Home Affairs issued a warning against the use of Zoom not only for government meetings, but also for business and individual use. The reasons for such warnings include privacy intrusions, routing of messages through servers located in China, session logging by unauthorised users and so on.

A critical examination of the privacy policy of Zoom indicates that it is indeed well-crafted, covering all aspects such as what personal information is collected, the informed consent of data subjects about privacy policies, the storage and processing of personal data, user control over their recordings, and cookie policy. It also has a separate policy section for minors and K-12 children, and processing as per the relevant laws around the world.

Though the security section of the policy does not include the technology details, Zoom mentions that it takes precaution and due diligence in securing the personal information of its users. It also explicitly says that the Zoom sessions and personal data are stored in Zoom servers in the US unless the customers have requested for storage near their sites. Further, it has a section on retention period, the contact details of the privacy team, and privacy grievance redressal process.

The policy is in different languages such as Spanish, French, and Mandarin — which is a real surprise as many digital firms have such details only in English. A perfect privacy policy indeed! So what has gone wrong?

Adherence to privacy policies

Researchers have analysed the privacy policies of many digital companies and indicated that firms often tend to deviate from what they say in their policies. In a classic work on privacy policy by Professor Vila at Harvard University, it is stated that the digital market resembles closely the “lemons market” that was introduced by the Nobel Laureate George Akerlof. There is asymmetric information between users and digital firms regarding whether the firms will adhere to their privacy policy and protect the users’ personal information or not.

In the online world, a user chooses among websites that may respect her privacy (“respecting” sites) or may not (“defecting” sites), with no way to determine beforehand which is which. Then privacy in websites looks like the lemons market. As a result, we would expect all websites to not respect their privacy policies. If that is the case, should we believe and take seriously the privacy policies of the digital firms?

Most users are myopic in nature. How many of us really read the privacy policy when we access websites and avail services? Either we don’t care or we don’t have the requisite knowledge to determine whether we should part with our personal information and the repercussions of the same. Game theoretic analysis provides insights into the behaviour of firms in the presence of largely myopic users. Firms tend to deviate from their stated privacy policies and continue to use personal information beyond the purpose for which it was collected due to the presence of large set of myopic users. What is the way out?

Be security-smart

First, is through regulation. Privacy regulations such as the EU’s General Data Protection Regulation (GDPR) mandate firms to disclose their privacy policies. Firms shall notify the data subjects and the regulatory authority within 72 hours of the notice of a data breach. Further, if the firm has violated any of the privacy principles there is a huge penalty of up to 4 per cent of the global turnover of the firm. Hence these stringent regulations put a brake on the defecting behaviour of the firms. Hopefully India’s Personal Data Protection Bill will also be enacted soon to protect the interests of digital users.

Second, we — the myopic customers — must become more intelligent! There are so many ways by which we can protect sessions conducted in Zoom. We can set a password for sessions and recordings; turn on the waiting room; allow only registered and domain-verified users and above all master the security menu. When users become more agile in using security features, firms can no longer harvest personal information. Combined with regulatory penalties, the firms have no option but to strictly respect and adhere to their privacy policies.

Does the above hold good for apps such as Aarogya Setu, rolled out by the Government of India for contact tracing of Covid-affected individuals? The privacy policy of Aarogya Setu states clearly how the information is collected and processed. It also states how the aggregated information in anonymised form is used for government decisions on the containment of the pandemic. It mentions how long the personal information will be retained and provides options for individuals to delete the app, if needed. Hopefully, the privacy policy will be adhered to strictly after the pandemic subsides.

A message to all digital users — when every walk we take leaves behind digital footprints, it is our primary responsibility to make sure that we understand the security features and configurations in the websites and digital services that we use, and be on guard!

The writer is Professor, IIIT-Bangalore

Related Topics
comment COMMENT NOW