Zoom fiasco highlights need for data protection law

This article was first published in Deccan Chronicle.

None of the protections afforded by a privacy law are in place yet, which leaves our data open to exploitation by tech companies.

There has been a lot going on at Zoom. The video conference app has been a major beneficiary from the lockdowns imposed due to the coronavirus, as humanity participates in its largest-ever work from home experiment. As a result, Zoom’s shares have doubled in value in less than six months. All is not well though, the company has been fraught with privacy issues recently. For instance, the Electronic Frontier Foundation (EFF) pointed out that hosts of Zoom meetings can see if the participants are paying attention based on whether or not the Zoom window is active on their screens.

Zoom would likely make the argument that the ability to be able to check whether people are active on a team call is a feature, not an instrument meant to cause harm. Which is one way to look at things. But at the same time, that is not the only slip up in terms of privacy the company has been embroiled in this past month. VICE reported that Zoom’s iOS app sends user data to Facebook even if you do not have a Facebook account. Zoom notifies Facebook when the user opens the app, shares details about the user’s device, such as the model, time zone, city, phone carrier, and the unique advertiser identifier (a unique number created by user devices which are then used to target ads).

Zoom’s privacy policy is not explicit about this data collection and there is a blame game to be played here. Facebook can make the argument that it requires developers (like Zoom) using Facebook’s SDKs and Pixels to be transparent about the data they are collecting, using and sharing. Zoom can and has argued that Facebook was collecting unnecessary device data. We need to talk about all of this because apps like Zoom and Houseparty are not going anywhere.

Instead, this incident is an excellent teacher for how policy and protections work in the data protection space. Firstly, it highlights the need and urgency for India (and other countries) to have a data protection law. These are exactly the kind of offenses a data protection law is supposed to penalise. In an ideal world, had there been a data protection law in place here, Zoom likely would have had to adhere to a standard of explicit consent. This way, the user would have been aware of what data was being shared. Had Zoom not adhered to the guidelines of consent, it would have had to pay a penalty. The data being shared with Facebook would have come under ambits of personal data, personal sensitive data and non-personal data, requiring different levels of protection and liability.

The fact that none of the protections afforded by a privacy law are in place yet means the only protections users have are those given to them by companies whose objective is to maximise shareholder value. More often than not maximising shareholder value comes at a cost of trampling on user rights. Most companies will be more than happy to make this trade-off and would ideally want to do it when there isn’t a data protection law in place.

At this point, it is hard to state whether or not a data protection regulation is going to be a definitive solution to incidents like these. Broadly because there isn’t a lot of precedence to learn from yet. Arguably the most significant existing legislation in this space is the General Data Protection Regulation (GDPR) in the EU. The law was enforced in May 2018 and an assessment of how its implementation has fared is due by the Commission sometime this year.

There is every chance that the Personal Data Protection regulation that India ends up adopting is not going to fix everything when it comes to abuses of power that come with a vacuum in the data protection space. It is going to be hard to implement clauses and penalties on every website on the internet and to track data flow at scale.  However, as any policy analyst worth their salt will tell you, change happens at the margins.

In the larger picture, Zoom sharing data with Facebook without explicit notice is a sign that is reflective of a deeper problem of accountability within the data protection space. There are no laws, and when laws do exist, they are near impossible to impose and monitor. This should serve as a high-profile warning sign of practices that currently exist and are going to continue until regulation exists.

The writer is a technology policy analyst at The Takshashila Institution. Views are personal.