The novel Coronavirus has become a global pandemic and has wreaked havoc on the world economy and health systems. It has also resulted in people adapting to this situation by working from home, using some mode of video conferencing.
This has brought to light various privacy issues that plague video conferencing applications. It thus becomes important to examine what the companies providing these services say they do to protect the privacy of their users and what is happening in practice.
It is important to note that currently, there is no comprehensive data protection law that has come into force in India. The Bill which was introduced in the Lok Sabha, the Personal Data Protection Bill of 2019, has been sent to a Joint Parliamentary Committee, where it will be scrutinized. Therefore, even the provisions which are included in the Bill in its present form remain subject to change.
In this article, we will examine the privacy policies of two major video conferencing apps which people are using to conduct their communications, namely Zoom and Vidyo.
Zoom has gone out of its way to highlight that it does not sell user data or use the data for advertising. It has provided a comprehensive table that illustrates the type of data it collects, provided examples, and specifies the purposes for which Zoom uses this data.
Much of the information collected is data you provide at the time of registration. This is naturally going to be information that identifies you, such as your account owner name, business address, username, email address, phone number, etc. We are informed that this information is used for creating a customer account, providing its services, communicating with customers, and responding to support requests.
This information is said to be used for providing Zoom services, storing chat logs (“for delivery and reviewing search chat history”), for storing recordings if explicitly required by the host or customer, and for storing voice mail for Zoom phone.
Zoom has a separate modality for its marketing sites. f you visit them and provide information, then that information can be used for the purposes of advertisement and marketing. Zoom has repeatedly insisted that it does not sell user data.
It informs us that its policies regarding compliance with a valid legal process preclude cooperation where a government does not have jurisdiction. It may also disclose data when it is reasonably necessary to preserve its legal rights.
While Zoom has come under extreme scrutiny, and the Government of India has gone to the extent of stating that it is not safe, Zoom has gone ahead and published security measures it is taking to protect user privacy in a separate post on its website. This is a welcome step, as any user who is using Zoom is now provided with a simple interface to understand the steps they can take to keep their conversations private and maintain their privacy.
Zoom provides an option to hosts to record video conferencing calls and either store them locally on their computers or on their servers. It is advisable that if a host intends on storing these video conferencing calls, that they do so locally, because your local computer is less likely to be compromised than a server of a popular app.
There are also serious security and privacy issues being reported pertaining to the Zoom app, such as the selling of user data on the Dark Web.
Data limitation seems to have eluded Vidyo, as the terminology it uses while describing the information it collects is very wide. It says it collects “many kinds of information” in order to offer and improve the quality of its services.
Further, instead of being clear about whether it actually collects information about a user who visits its website and uses its services, the phrase it uses is “may collect.”
The word “may” creates unnecessary ambiguity. Privacy policies should be precise and simply state the information the companies are collecting, why they are collecting it, and with whom they are sharing it.
The definition of the data Vidyo collects is inclusive and not exhaustive, thus not strictly adhering to the principle of data limitation. The legal basis for collecting this information is the consent of a user.
Vidyo uses the word “may” while stating that it might automatically collect and store certain information about the user's usage of and interaction with Vidyo’s products. Importantly, it states that it will store your Call Data Records (CDRs), which will contain details pertaining to your calls and other specified device and internet-related data.
Importantly, much like Zoom, Vidyo also provides a feature that allows a participant to record the content of video conferences and instant messaging communication. We are informed that if a user decides to use this feature, a notice will appear on the user’s screen, and Vidyo “may” collect and store the content of such video conferences and instant messaging communications.
Vidyo can use information such as CDRs to provide technical support and can also take remote access of your device to help resolve issues. This is limited only to the providing of technical support, and there is no indication that they will take remote access in any other circumstance.
Providing its products and services
In connection with ongoing customer relationship such as providing customers with information about software updates etc.
Evaluating and improving products and services
Operating and evaluating websites as well as customizing and improving its marketing activities
To comply with legal or governmental requirements or demands
It is no wonder then that Vidyo, and not Zoom, is the government’s choice of video conferencing app. In the article cited here, we are told that while the app is external, conversations are being stored on government servers.
As an official of the National Informatics Centre is quoted as saying:
“Although the software is external, all the videos are stored on our own server and cannot be accessed by anyone else. The App is hosted on our own data centre.”
As it stands, the main concern with video conferencing apps will be whether your activity - such as your conversations, chat logs, CDRs, etc. – are being monitored. Zoom gives the option of recording conversations and storing them either locally or on its servers. However, in the case of Vidyo, there is complete ambiguity, as the word “may” is used in multiple places.
Further, unlike Zoom, Vidyo does not specify the mode and manner in which conversations are stored. It may be beneficial not to use the recording feature until Vidyo elaborates on just how recorded content is stored and where it is stored, specifying the server, the level of protection the server enjoys, etc.
Neither Zoom nor Vidyo specify what data they may share to fulfil legal obligations or governmental requests. Presumably, the word “data” will include all the collected data, therefore including CDRs, video conferencing records and chat logs, etc.
The author is a Delhi-based Advocate.