Multiple courts ignoring the glaring cyber-security flaws of the application puts the judicial system of the country at risk
Under the lockdown, many courts have taken innovative steps to ensure the continuance of court proceedings is least affected or hampered by the lockdown. Amongst these, the conduction of court proceedings via video-conferencing has emerged as a unique and highly favoured measure.
However, what is highly surprising and in equal parts disturbing, is that multiple courts, including the Bombay High Court, Kerala High Court, and Gujarat High Court among others have chosen the Zoom video-conferencing application as the application of choice for conducting such proceedings. Some of the courts have even made the proceedings open to the public without any password protection or other such basic security steps being taken. Now, what makes this decision very worrisome is that since early April and even late March, multiple data security and cyber safety flaws have emerged in the Zoom application.
In fact, the problem has turned out to be so serious that yesterday evening, the Cyber Coordination Centre (CyCord), under the Ministry of Home Affairs had to put out an advisory warning that the ‘Zoom’ app for video conferencing is not safe and thus not meant for use by government officers or officials for official use. Even for private users, the Ministry suggested a whole host of guidelines to make its users more secure, underlining the inherently unsafe nature of the application. It’s actually surprising that it took the MHA so long to issue this advisory considering that multiple tech giants like Google and Spacex had officially banned the use of Zoom fairly long ago. The Taiwanese government too has banned its use for official purposes. After multiple zoom-bombing incidents, Singapore has banned its teachers from using Zoom, and similar action was also taken in multiple districts of the USA. Moreover, the German government has advised against the usage of Zoom for official work and the US Senate has imposed an unofficial ban on the app as well.
In this context, the decision of the courts to choose Zoom for their video-conferencing needs, despite all the glaring security flaws that have emerged, appears quite baffling. It is therefore highly advisable that courts immediately discontinue their usage of Zoom, and preferably move to much more secure and trusted alternatives.
Zoom’s glaring security flaws
The first of the many security flaws that were discovered was that Zoom had been sending user data to Facebook neither with the user’s permission nor knowledge of the same. Eventually, after much outcry, the feature was removed from the application.
Then began a series of troubles for Zoom. The now near famous term ‘zoom-bombing’, refers to third party members basically hijacking Zoom sessions, using the opportunity for multiple things such as stealing of data and personal information and communication, displaying explicit or racially abusive material or a whole host of other nefarious things. Such incidents of zoom-bombing got so prevalent and out of hand that the Federal Bureau of Investigation (FBI) had to issue a public warning regarding many of Zoom’s security vulnerabilities. The concerns regarding Zoom’s security issues even led to the office of New York Attorney General, Letitia James, sending Zoom a letter outlining privacy vulnerability concerns, urging Zoom to fix them.
A former hacker for the National Security Agency, USA, discovered, that a bug in the application could allow malicious actors to assume control of a Zoom user’s microphone or webcam. Another of the vulnerabilities allowed Zoom to gain root access on MacOS desktops. Further, it was found that Email Addresses and Photos of users were being leaked to Strangers, a data-mining feature on Zoom allowed some participants to surreptitiously have access to LinkedIn profile data about other users, thousands of recordings of Zoom video calls were left unprotected and viewable on the open web, some video calls were “mistakenly” routed through Chinese whitelisted servers when they should not have been, Zoom accounts were found on the dark web, and so on and so forth. The list goes on and on.
The biggest shocker was when it was discovered that the Zoom app allows for UNC injection in the user’s computer, which allows attackers to steal the user’s Windows credentials, including their Windows password, and allows programs to be run via UNC links. Zoom also doesn’t use end-to-end encryption as promised. Zoom call data was being sent back to the company without the end-to-end encryption promised in its marketing materials.
All this has resulted in multiple Class Action Lawsuits, multiple apologies, explanations and patchwork by Zoom, and the various measures taken by the various governments and organisations mentioned above in the article. What emerges from this is a quite discernible pattern, that Zoom, simply put is not a reliable and secure application for our video conferencing needs, and especially for the needs of our Hon’ble courts.
How it compromises our courts and puts the nation at risk
Keeping in mind the highly sensitive nature of the proceedings of the court and the sensitive information exchanged in these proceedings, it is generally accepted that the proceedings of the Court may not be attended, accessed, published or be made available to the common people without the prior and explicit permission of the court. This point has been extensively discussed and upheld in Naresh Shridhar Mirajkar And Ors vs State Of Maharashtra.
Therefore considering the highly sensitive information that may be stored in the computers and other devices of the Court administration, staff and the Hon’ble judges themselves, the usage of Zoom for conducting court trials, puts all of this extremely sensitive information at risk and possibly in the hands of hackers and other nefarious organisations not only for now but for an unforeseeable time period as Zoom virtually allows such people to gain complete access to the user’s computer, without the Courts even ever realising it, let alone consent to it.
Our courts deal with and store a lot of extremely sensitive information of thousands of private individuals, multiple corporations and even the State governments and the Central Government. The computers of the courts may even contain data which if illegally accessed could jeopardise national security, such as in the case of the Rafale or Bofors case. This highly sensitive data could via the security flaws of Zoom, end up in the hands of parties to a suit, allowing them to peek into the mind of the bench thereby giving them an unfair advantage. It could even end up in the hands of data miners who could illegitimately sell this precious data for large amounts of money, or hold companies and individuals whose sensitive information may be accessed, to ransom, opening up a whole minefield of extortion.
Thus, it is highly advisable that our courts immediately stop using Zoom to conduct any sort of court proceedings and cancel any future proceedings that had been planned to be held via Zoom, in favour of other more secure and reputable alternatives.
Some fairly reputable and more trusted alternatives to Zoom, that may be equally if not more useful for conducting court proceedings via video-conferencing and hosting of sensitive court documents include, Microsoft’s Teams, Google Hangouts, and Cisco Webex, among many others. While some of these applications may require a fee or subscription for usage, they come from relatively long-standing and trusted developers whose credibility is arguably much better than that of Zoom. Plus, a small fee to pay for securing our court proceedings and the sensitive information of thousands of parties is nothing when compared to the possibly incalculable loss that the nation as a whole may end up suffering just because our Hon’ble courts didn’t take cyber-security a bit more seriously.
Aryan is a first-year student at Dr. Ram Manohar Lohiya National Law University, Lucknow.
Image Source: Tech Times