COVID-19 and Video Conferencing: A look at the privacy policies of Zoom and Vidyo
Columns

COVID-19 and Video Conferencing: A look at the privacy policies of Zoom and Vidyo

The article examines the privacy policies of two video conferencing apps, namely Zoom and Vidyo.

Raghav Tankha

The novel Coronavirus has become a global pandemic and has wreaked havoc on the world economy and health systems. It has also resulted in people adapting to this situation by working from home, using some mode of video conferencing.

This has brought to light various privacy issues that plague video conferencing applications. It thus becomes important to examine what the companies providing these services say they do to protect the privacy of their users and what is happening in practice.

It is important to note that currently, there is no comprehensive data protection law that has come into force in India. The Bill which was introduced in the Lok Sabha, the Personal Data Protection Bill of 2019, has been sent to a Joint Parliamentary Committee, where it will be scrutinized. Therefore, even the provisions which are included in the Bill in its present form remain subject to change.

In this article, we will examine the privacy policies of two major video conferencing apps which people are using to conduct their communications, namely Zoom and Vidyo.

Zoom

Zoom has gone out of its way to highlight that it does not sell user data or use the data for advertising. It has provided a comprehensive table that illustrates the type of data it collects, provided examples, and specifies the purposes for which Zoom uses this data.

Much of the information collected is data you provide at the time of registration. This is naturally going to be information that identifies you, such as your account owner name, business address, username, email address, phone number, etc. We are informed that this information is used for creating a customer account, providing its services, communicating with customers, and responding to support requests.

The privacy policy specifies that it does collect customer content like information uploaded, provided or created while using Zoom. This is said to include cloud recordings, chat/instant messages, files, whiteboards, and other information shared while using this service.

This information is said to be used for providing Zoom services, storing chat logs (“for delivery and reviewing search chat history”), for storing recordings if explicitly required by the host or customer, and for storing voice mail for Zoom phone.

Zoom has a separate modality for its marketing sites. f you visit them and provide information, then that information can be used for the purposes of advertisement and marketing. Zoom has repeatedly insisted that it does not sell user data.

Importantly, Zoom’s privacy policy mentions complying with legal obligations such as detecting, investigating, and stopping fraudulent, harmful, unauthorized, or illegal activity. It also states that data may be disclosed while responding to a valid legal process, including jurisdiction.

It informs us that its policies regarding compliance with a valid legal process preclude cooperation where a government does not have jurisdiction. It may also disclose data when it is reasonably necessary to preserve its legal rights.

While Zoom has come under extreme scrutiny, and the Government of India has gone to the extent of stating that it is not safe, Zoom has gone ahead and published security measures it is taking to protect user privacy in a separate post on its website. This is a welcome step, as any user who is using Zoom is now provided with a simple interface to understand the steps they can take to keep their conversations private and maintain their privacy.

If you are planning on using Zoom, it is important and advisable for you to visit the link cited and understand these measures. This is in addition to Zoom's privacy policy, which did not provide the exact security measures it employs. However, Zoom has tried to remedy that by now clearly stating the security measures it is taking, in an easy to understand manner.

Zoom provides an option to hosts to record video conferencing calls and either store them locally on their computers or on their servers. It is advisable that if a host intends on storing these video conferencing calls, that they do so locally, because your local computer is less likely to be compromised than a server of a popular app.

There are also serious security and privacy issues being reported pertaining to the Zoom app, such as the selling of user data on the Dark Web.

Vidyo

Vidyo is an app that the Supreme Court of India has decided to use for its video conferencing facility. We will examine its privacy policy to see how it compares to the privacy policy of Zoom and others.

Data limitation seems to have eluded Vidyo, as the terminology it uses while describing the information it collects is very wide. It says it collects “many kinds of information” in order to offer and improve the quality of its services.

Further, instead of being clear about whether it actually collects information about a user who visits its website and uses its services, the phrase it uses is “may collect.”

The word “may” creates unnecessary ambiguity. Privacy policies should be precise and simply state the information the companies are collecting, why they are collecting it, and with whom they are sharing it.

The definition of the data Vidyo collects is inclusive and not exhaustive, thus not strictly adhering to the principle of data limitation. The legal basis for collecting this information is the consent of a user.

Vidyo uses the word “may” while stating that it might automatically collect and store certain information about the user's usage of and interaction with Vidyo’s products. Importantly, it states that it will store your Call Data Records (CDRs), which will contain details pertaining to your calls and other specified device and internet-related data.

Importantly, much like Zoom, Vidyo also provides a feature that allows a participant to record the content of video conferences and instant messaging communication. We are informed that if a user decides to use this feature, a notice will appear on the user’s screen, and Vidyo “may” collect and store the content of such video conferences and instant messaging communications.

Vidyo can use information such as CDRs to provide technical support and can also take remote access of your device to help resolve issues. This is limited only to the providing of technical support, and there is no indication that they will take remote access in any other circumstance.

According to its privacy policy, the information Vidyo collects may be used for the following:

  • Providing its products and services

  • In connection with ongoing customer relationship such as providing customers with information about software updates etc.

  • Evaluating and improving products and services

  • Operating and evaluating websites as well as customizing and improving its marketing activities

  • To comply with legal or governmental requirements or demands

It is no wonder then that Vidyo, and not Zoom, is the government’s choice of video conferencing app. In the article cited here, we are told that while the app is external, conversations are being stored on government servers.

As an official of the National Informatics Centre is quoted as saying:

“Although the software is external, all the videos are stored on our own server and cannot be accessed by anyone else. The App is hosted on our own data centre.”

Curiously, the privacy policy of Vidyo, which was last updated on May 24, 2018, states that the information is stored on servers that are owned or operated either by Vidyo or Vidyo-contracted suppliers. The servers are said to be based in the USA, Europe, and Asia. But now, the Indian government says that it is storing the data.

Conclusion

As it stands, the main concern with video conferencing apps will be whether your activity - such as your conversations, chat logs, CDRs, etc. – are being monitored. Zoom gives the option of recording conversations and storing them either locally or on its servers. However, in the case of Vidyo, there is complete ambiguity, as the word “may” is used in multiple places.

Further, unlike Zoom, Vidyo does not specify the mode and manner in which conversations are stored. It may be beneficial not to use the recording feature until Vidyo elaborates on just how recorded content is stored and where it is stored, specifying the server, the level of protection the server enjoys, etc.

Neither Zoom nor Vidyo specify what data they may share to fulfil legal obligations or governmental requests. Presumably, the word “data” will include all the collected data, therefore including CDRs, video conferencing records and chat logs, etc.

The author is a Delhi-based Advocate.

Bar and Bench - Indian Legal news
www.barandbench.com