Naavi.org

I would like to draw the attention of the critics of Aarogya Setu as expressed in the article that appeared today in TOI under the title, “Transparency and respect for Privacy are essential…to build trust which is totally absent from Aarogya Setu process”

The author expresses the opinion that “Contact Tracing” apps are invasive and if insecurity in the app is not fixed, we may be helping snooping and hacking. The author advocates that the source code of the app should be made public and its use should not be made mandatory. The author praises the Apple-Alphabet partnership to restrict sharing of location data and calls it a “Privacy respecting” and “Secure” measure.

The collection of location data and limited scope of liability and accountability is what the author considers as endangering the “Safety of millions at risk”.

The first correction we need to make to this statement is that the app collects only minimal information about the person who downloads it and gives him an option to declare his health status. He can very well declare himself as healthy. If and when he is diagnozed as infected, then his status would be suggested to be changed. If the person does not change, he would be liable for giving a false information which could endanger others.

The potential to endanger the community with false information therefore lies with the individual and not the Government. As regards the “Location information”, I suppose the author who represents the Software Freedom Law Center is aware that Google does track your location through your Google map usage openly and perhaps covertly through the in built location detection mechanism. The activists however trust Google but not the Indian Government because these commercial organizations do fund many NGOs to lobby for them, while the Indian Government ignores them.

Now we come to the question of “Leakage of Information”.  The app certainly collects the mobile number which is the most significant personal identity collected. Name, gender, age, profession, countries visited in last 30 days are details which the data principal himself submits. At this point of time these are not verified though the Government can track the mobile number and find out in whose name the SIM is registered. If it is a prepaid SIM, even this data is not very reliable.

Hence the “Location Data” if tracked is a “Pseudonymous personal data”. It is only when the person encounters an employment situation or undergoes a test in a hospital, the question of whether the name as declared in the App and the real identity that can be picked from say the Aadhaar card comes into the open.

We donot know if the Government wants to take any action for such “Voluntary impersonation”. If necessary the activists may ask the Government about the intended punishment for such impersonation. Such impersonation does not affect the person coming into contact with others in a mall etc since the app can still track the mobile to whom so ever it may belong to. If an employer has made it mandatory that installation of the app is mandatory to come back to work, then the person has to register the app in his name in which he has the employment and cannot impersonate himself.

So it is unlikely that we can prove that the impersonation itself caused any harm and hence the legal liability may not be enforceable except as an “Attempt” to mislead others.

As regards the making of the App “Open Source”, I donot trust the activists to make any responsible use of the open sourced code to come up with any suggestions on improving what they call as security weaknesses in the App. I rather would suspect that they would be hiring unethical hackers to hack into the app and create problems for the Government.

As regards the mandatory status of the App, we must appreciate that there is a right even for the people who interact with a suspected infectious person whom these privacy activists are trying to protect from revealing his status. This right of safety supercedes the right of privacy of the app owner.

The Supreme Court is also well aware that the “Freedom to stretch ones arms stops at the tip of the nose of the person standing next to him”. Hence the claim of the legal flaws related to Aarogya Setu app if brought before the Supreme Court would get a fair dealing unless the activists can fix the decision by any nefarious arguments.

It can however be agreed that the if the Government had been more careful, it could have avoided the confrontation with the activists. Just as they let the opposition to mislead the public with the CAA, they are now allowing the privacy activists mislead the community into believing that a great calamity would occur if they register themselves for the Aarogya Setu app.

Naavi

Also see: Exposing the IMAGINARY Aarogya Setu security issues raised by Elliot Alderson @fs0c131y

It is interesting to note that Pakistan is coming out with the Personal Data Protection Act 2020 of its own and is challenging India to change the name of its Bill as otherwise we will have PDPA 2020 of Pakistan and PDPA 2020 of India.

We welcome the initiative from Pakistan which has also given us a renewed reason to drop our complacency and the fear of the ever present Lutyen media backed Nay-sayers and get the Personal Data Protection Bill 2019 finalized. If we let Pakistan to pass their bill ahead of us, it will be a huge embarrassment for India in the international scene.

Hope the JPC lead by Mrs Meenakshi Lekhi realizes that we cannot lose this battle to Pakistan and the JPC has to ensure that we pass our law before Pakistan.

I therefore request Mrs Lekhi to call for a virtual JPC meeting immediately and proceed with the finalization of the Bill.

If we wait endlessly, there will be more hurdles created by the creative Internet Freedom fighters who will set up the IT committee lead by Sashi Tharoor to counter the JPC and further delay the passage of the Bill.

If we had passed the Bill by this time we could have effectively countered many of the objections raised regarding the Arogya Setu app since there would have been a legal backing for the Government for collection and processing of the Covid 19 data without affecting the privacy rights. This will now be coming up for question in the Kerala High Court and the Central Government will be cutting a sorry figure for defending why it could not pass the Act for so long.

Naavi

Link to the Pakistan Personal Data Protection Bill 2020

We have earlier discussed certain concepts of “Quantum Computing” at this site and its impact on Cyber Laws of Evidence, Encryption security and Data Protection. I give below the links to those articles for a quick review:

Quantum computing and Emerging Cyber Law Challenges… Are we ready? : March 10, 2018

Section 65B in the Quantum Computing Scenario: March 16, 2018

Theory of Dynamic Personal Data: March 31, 2018

In the wornderland of Quantum Cyber Law, Physics is part of the Law specialization: April 3, 2018

The Vast and Far Reaching Applications of Quantum Computing- June 20, 2018

China working on achieving Quantum Supremacy: July 5, 2018

China may be developing its own unbreakable encryption system through Quantum Computing: July 5 2018

Is it the beginning of the Chinese domination of the Globe?…Mr Modi to take note: July 5, 2018

10000 years=200 seconds in Sycamore Processor: October 24, 2019

Now I was delighted to see that one of my classmates in MSc, Physics at Manasa Gangotri, Mysore (1973 batch) has achieved significant breakthrough in the research field of Quantum Physics working in the MIT, USA. I want to share his story to the audience here as a tribute to his achievements.

I am reproducing the article which had appeared in the “Star of Mysore” on May 4

He is the second of my old friends who appears to have achieved global recognition for contribution in his field. The other proud classmate from my High School days was Colonel Gopal Kaushik who had a key role in the Indian nuclear test at Pokhran in May 1998.

I am proud to have the association of these two gentlemen and salute them for their achievements.

New Discovery By Kodagu-Born Dr. Jagadeesh Moodera And Team At MIT

It boggles the mind when told that a subatomic particle exists simultaneously at two different spots.  One location could be on your table and the other on the surface of Jupiter!

English Physicist Paul Dirac theoretically proved way back in 1930s that fundamental particles known as fermions should have a counterpart somewhere in the universe with an opposite charge – known as anti-particle.

Complicated. Difficult to fathom. I fail to comprehend.  Based on this theory it is theoretically possible to have ‘teleportation’ that are portrayed in science fiction movies and books.

Coorg-born Physicist Dr. Jagadeesh S. Moodera has been a scientist at Massachusetts Institute of Technology (MIT) since 1981. He has several path-breaking research papers to his credit. My wife and I had the good fortune of a guided tour of his laboratory at MIT during our visit to Boston to attend the Kodava Convention-2019, in September last year.

Dr. Jagadeesh explained the intricacies of the experiments that he and his team were involved in.   It was fascinating to see a huge setup with myriad tubes, probes, cables and instruments in order to create a 100% vacuum in a space of about 2 cubic centimetres.

Part of the experiment was conducted in this small space which was absolutely contamination free.  There was another setup equally complicated where a space was created for the experiment which was free of any kind of vibration – not even that created by the traffic in the streets distance away, or footsteps of students in the nearby corridors.  In addition, this space is cooled to -273 degree centigrade (that’s as close as one could get to -273.15 degree centigrade which is absolute zero).   The experiments were conducted under these ideal conditions and usually between 10 pm and 6 am when chances of vibration were the least.

The experiment Dr. Jagadeesh and his colleagues have been working on since 2012 was to discover what Italian Theoretical Physicist Eltore Majorana, extending on Paul Dirac’s theory, had postulated in 1937 that there should be some subatomic particles that are indistinguishable from their anti-particle.

Scientists have been looking for these particles named Majorana fermions. Many theories have emerged over the years.  Theoretical Physicists at MIT and elsewhere predicted that Majorana fermions may exist on solids such as gold under certain conditions.   Dr. Jagadeesh and his team were on a mission to discover the existence of the elusive Majorana fermion.

The experiment, extremely complicated, needed many long hours in the laboratory.  Dr. Jagadeesh explained how the delicate research was carried out at nano-particle level and observed through Scanning Tunneling Microscope (STM).  STM is capable of ‘feeling’ the presence of atoms and molecules.  3mm x 3mm was the size of the surface on which the experiment was carried out, consisting of nano-wires of gold, grown on superconducting material: Vanadium.

MIT News dated 10th April 2020 has announced the successful sighting of the mysterious Majorana fermion by Dr. Jagadeesh Moodera and team. This is a major breakthrough.   In Dr. Jagadeesh’s words ‘We have shown they are there, and stable, and easily scalable.’  Please visit webpage: http://news.mit.edu/2020/first-majorana-fermion-metal-quantum-computing-0410

The finding that Majorana fermions are scalable and could be made into qubits (individual computational units) is spectacular.  These qubits could be used to build the most powerful and error free quantum computers. This will be a step closer to the phenomenon known as Singularity, which predicts that by the year 2042 AD there will be computers that will have computing power of all the human brains put together!

Once Singularity is achieved, humans need not invent anything further.  Solutions to the most complex problems will be arrived at within seconds.  If we had these computers today, a remedy for the current Covid-19 would have been found in a jiffy!

Dr. Jagadeesh’s wife Dr. Geetha Berera is a senior lecturer in MIT and we had an opportunity to visit her laboratory as well.  The couple are totally dedicated to academics and research. Every year they visit Coorg and conduct a Quiz programme for school students.  They are in the process of starting a school in Coorg under their organisation – CREATE Gurukula Trust – focusing on encouraging young minds in research activities.  Meritorious students at Coorg Institute of Technology (CIT) are recipients of annual scholarships and awards instituted by Dr. Jagadeesh and Dr. Geetha. Dr. Jagadeesh and Dr. Geetha are eminent role models for young Kodavas to emulate.

After FDPPI completed the two certification programs for Data Protection Professionals (CDPP-I),  with a program of 18 hours of online teaching, Cyber Law College of Naavi has completed one more crash course of 12 hours for about 45 participants mainly from the Elite CISO group of Delhi.

Presently another batch of around 40 persons from Elite CISO are undergoing another crash course program for 12 hours.

While Naavi is conducting these sessions and Cyber Law College is providing the participation certificates, these participants are also eligible to move further on to take up the Certification examination of FDPPI and get certified if they are interested in the certifications.

Naavi/Cyber Law College/FDPPI acknowledge the enthusiasm of the members of the Delhi chapter of Elite CISOS and more particularly Mr Vikas Arora in making this spread of knowledge possible.

Creating wide awareness of the Personal Data Protection legislation as it is emerging in India now is essential to ensure an early adoption of the act when it finally becomes a law.

Naavi

Critics are endangering the silent majority

There are a class of critics in India who donot spare any opportunity in taking a dig at the Government for every decision and also take the issue to the Courts to challenge every day to day operations of the Government.  This has happened earlier in respect of the ITA notification on Section 69 and Section 79 when Government wanted to make some amendments to the notification and the critics cried foul and went to the Court to stall the Government move. This frequent invocation of Court intervention by publicity hungry PIL lawyers supported by a section of the media which always highlights such opposition has posed many avoidable challenges to the Governance.

However, as a part of the democratic tradition of our country, it is necessary for us to accept such challenges.

At the same time, it is necessary for that section of the population which is in agreement with the move of the Government and is opposed to the critics not to hesitate coming out with their own opinion countering the objections despite it looking like swimming against the tide. But it is always the silence of the majority that enables the minority to create disproportionate noise and if we need to prevent misconceptions spreading out in the community, it is necessary to be vocal to express what we believe as true and face the backlash if any.

Naavi.org has been following this tradition since the 1998 when it started out its activity first under naavi.com and naavi.org (before naavi.com it was squatted by somebody else and had to be dropped).

Currently we have an occasion to express our views on Aarogya Setu the App which the Government of India is promoting as a measure towards mitigation of the Covid19 spread risk.

After the COVID Lockdown, there have been discussions on the strategy for lifting the lockdown and allowing the movement of people, starting of business activities in a manner that would not ignore the possibility of a spurt in the infection cases. One of the arguments have been that economy cannot be for ever put under lock down and we need to restart immediately.

If however, there is an increased incidence of infections, while we keep the medical defense ready, we also need to improve our ability to track the movement of an infected person in the immediate previous 14-30 days to alert all those who came in contact with an infected person. Such persons can undertake a test and be assessed. If they are infected, they need to be treated. If not they could continue their activities with confidence.

In view of this requirement, worldover, Governments started introducing mobile based “Contact tracing apps”. These apps could use Bluetooth and GPS tracking of the mobile and based on other mobiles with similar apps could generate alerts when an infected person came near another non infected person. Such GPS based tracking has been regularly used by the advertising industry to provide information of services available around you (including Uber and Ola) and also for identifying your social media contacts if they are around.

The “Critics” who have so far been tolerant of the GPS based apps who bought the location information mostly from Google through their licensed mapping solution, have suddenly turned aggressive when the Indian Government wanted to introduce an App which could track the movement of the device holder in the immediate past. Along with this, the app provides some useful Covid information.

But the most important reason why this App is needed is to enable a healthy individual to avoid interaction with another person who may have either been positively diagnosed  for COVID or is suspected to be a carrier.

There have been two types of objections to this App. One is that it violates the privacy of an individual because it tracks his physical location. Second is that the information gathered may be misused for surveillance. One is a professional Privacy and Information Security argument and the other is purely political.

We shall restrict our discussion to the objections from the professionals and leave out the objections raised by Rahul Gandhi or Sashi Tharoor which are political comments. These politicians are known to pursue their agenda irrespective of the damage they may cause to the nation and it is their privilege  to do so. But many professionals are unable to keep their discussions free from political considerations and hence some of the criticisms from Privacy and Security professionals become coloured with prejudice and confuses an ordinary person.

The App which was launched on April 2, was first pushed by the PM on 14th April 2020 and  got critical attention when on April 29, the Government issued a circular that it is compulsory for all Government employees returning to work to download the app and keep it in operating conditions. This raised the bar since the Government was making it partly mandatory. In the private sector the employers were made responsible for similar compulsion if they wanted to re-open their business and allow the employees back to the offices.

The order of May 1st by the Government is said to have pointed out to Section 188 of IPC which suggests imprisonment upto 1 month for disobeying a lawful order of a Government servant.

The Privacy activists now have a serious objection for the mandatory nature of the need to download the app and to keep the Bluetooth and GPS tracking on at all the times because they consider it their right to privacy to hide their physical location at any point of time. Some Security specialists like the French citizen “Robert Baptiste” who uses the twitter handle “Edward Elliot” (Information from Wikipedia), also pointed out what they called as bugs in the app which could be considered as a security risk.

Many of these critics are advising public how to cheat the App and such advise can only be termed as lack of concern for national safety.

In Noida, a group of residents have started a legal battle against the local administration. They have now filed a police complaint and intend to take it up further with who else but the Supreme Court. In Kerala a Congress leader has already moved the High Court against the usage of the App and got notices issued to the Government.

While the Government fights the Covid19 at the medical level, it has been dragged into other side battles to divert its attention.  We need to wait and see whether the Courts would be able to see beyond technicalities and political prejudice and come up with decisions in the larger interest of the community since most of the persons who oppose the petitions may not be able to represent themselves in the Court while the supporters of the petition can engage the services of advocates who can argue that a Mango is an Orange if they are suitably paid and do it convincingly enough for the Judges to appreciate.

The Privacy Concerns

Some of the privacy concerns that have been expressed are that

1. Aarogya Setu collects personal information of an individual without his or her consent
2. The use of the app is made mandatory for all citizens
3. App is tracking the location of the mobile continuously
4. App collects personal information  such as name, phone number, age, sex, profession, countries visited in the last 30 days and whether a person is a smoker or a non smoker and his or her medical condition.
5. Use of the App raises the risk of “institutionalization of mass surveillance”
6. Use of the app urges people to Pre-emptively take tests and overwhelm the public heath systems prematurely
7. Use of the app inadvertently discriminates against regions which have fewer concentrations of smartphones

The Internet Freedom Foundation (IFF) which is spearheading the legal action in Noida has raised its objections through a letter written to the parliament members  and will soon approach the Supreme Court for relief agains their concerns some of which are common with the case filed in Kerala High Court.

The main argument against the app is the “mandatory nature” of the order for employees. Otherwise, the consent is provided by the people who download and the privacy policy indicates the use of the information which may pass the test of reasonableness given the present public health emergency which we are in. The security objections raised by Edward Elliot have been found to be only peripheral issues not serious enough to be worried about. The objections of IFF on overwhelming of public health system etc are gap fillers in the petition and donot need attention.

The Government has also clarified that the data collected is stored in the user’s device and would be deleted in 30/45 days. Hence most of the Privacy concerns are being addressed.

No Need to Put the Source code in the open

There is one demand that the Aarogya Setu source code should be put in the open source. It is not recommended since hackers are waiting to subvert the system and whether they call themselves “Ethical” or not they cannot be trusted.

“Obfuscation” of the code is an information security strategy and the Government should secure its source code to prevent motivated attacks.

Circular should  be Re-worded

We need to therefore come back to the “Mandate” and the pointing out of Section 188 of IPC.

The Government as usual has not anticipated the possibility of the opposition mounting this attack through the legal challenges and perhaps thought that we are in the era of “Dharma Yuddha” where in times of crisis, certain norms of opposition would be followed. But for the Duryodhana clan, everything is fair in politics and pulling the rug under the Government even at the time of this crisis is only a fair game.

As a result of this, the Government failed to put its circular in the proper perspective and has given a handle to the opposition to beat itself. The only saving grace for the country is that we have a PM who is not allowing himself to be distracted from his goal and doing his best to take steps towards mitigation of the Covid19 risk in a manner he thinks is best. All the critics are not able to provide any alternatives but are only happy to criticize. They deserve to be ignored.

I however suggest that the Government should re-issue the circular of May 1 with a cover note where it should state as follows:

“Lockdown continues until further notice and no body should move out of their houses unless they have necessary pass issued by a Government authority.

However, exception would be granted to those individuals who voluntarily submit themselves to a discipline which includes social distancing, wearing of masks and keeping an active Aarogya Setu enabled smart phone.”

If people realize that it is in their own interest to know if the person next to him is not a person who has recently returned from a vulnerable foreign country or was a person who was assessed infected less than 45 days back, they would gladly agree to use the App.

The Organizations and the Government have every right to secure their working area by mandating that employees will continue to be on work from home location unless they start using the Aarogya Setu app in the interest of other employees with whom they may come into closer contact if they attend the office.

It is the right of other employees who have downloaded the App in their own health interest to insist that no dilution of this order should be permitted.

Courts whether it is the Supreme Court or the Kerala High Court should not take any decision without considering the rights of this silent majority of people who are concerned with their colleagues who may be carriers of the infection and may join employment by disabling the Aarogya Setu app or the Bluetooth/GPS  functionality because they have a false sense of them being Privacy warriors. If the Courts ignore the safety of this section of people who are 9.5 crores at present, it will only display a judicial impropriety that is avoidable.

Digital Rights Survive if we survive COVID-19

For activists,  I would request them to check their own suggestion on storing of the information in the device etc as provided in their website and accept the Government clarification in this regard. If they shed their anti-government attitude they will agree that this app has a purpose and we don’t gain anything by killing it.

Activists  should also spend their energy more fruitfully and look at the Net Neutrality concept being adversely affected by the Alphabet & Apple agreement on sharing of GPS data, the Bois Locker room issue, the INS attack on WhatsApp admins, Banning of Tiktok, Banning of Crypto Currencies etc., which are all representations of misuse of Internet Freedom,  rather than focusing only on anti Government issues.

Activists should realize that Digital Rights will survive only if we survive COVID-19. Let us fight COVID-19 first and then focus on digital rights.

Pass Personal Data Protection Bill 2019 immediately

The petitioners who have approached the Courts will be pointing out that the lack of a Privacy Protection Law is allowing the Government to indulge in this excess.

I wish that the Government takes the cue and based on whatever public comments already with it, go for immediately passing the Personal Data Protection Bill 2019 after conducting virtual meetings of the Parliamentary committee.

PDPA has the exceptions under which the Aarogya Setu could operate as a Sandboxed scheme.

Naavi

(Views expressed here and in other articles on this blog are entirely the personal views of Naavi)

(P.S. This article was first published in India Legal Magazine)

One business that has thrived during the lockdown in various parts of the world is video-conferencing, virtual meetings and virtual collaboration solutions. Many large corporations have already installed virtual meeting infrastructure across their branch offices and were quickly able to adapt to this form of doing business by adding more individual users logging in from different locations.

A large number of SMEs and individual businesses, however, had to search for affordable and easy-to-use solutions to establish face-to-face contact with their workers scattered in different locations. Educational institutions also had a requirement to conduct classes in the virtual environment to meet their teaching deadlines. Such users found that the Zoom communications platform was convenient and affordable. As a result, its business spurted from around 10 million users to 200 million.

Companies, which had competing products and were big names in the industry, felt their egos bruised by the phenomenal success of this relatively small company. They launched a well planned attack on Zoom and the fact that it was promoted by a Chinese entrepreneur. They tried to bring down its popularity partly to get some business themselves and partly to satisfy their hurt egos.

The campaign against Zoom revolves around security issues. One issue is that uninvited persons can log into running sessions where there is no password set for the meeting or where the password is weak and predictable. As the meeting password is not considered as important as bank account passwords or similar other access environments, users tended to set weak passwords. These intrusions were highlighted as “Zoom bombings” and the possibility of corporate espionage was stressed.

Secondly, data used during corporate meetings had to move between different users and to ensure that this moved without much latency, the company maintained servers in different countries, including China. Rivals highlighted this and showed the possibility of Chinese espionage.

A third complaint raised was that Zoom claimed to have “end-to-end encryption”, whereas it was theoretically only encryption from the sender’s computer to the receiver’s. It was quite like an “https” connection and did not extend to the processes within the sender’s and receiver’s systems at the application level. This was suggested as a deliberate misrepresentation. There was also an allegation that Zoom shared some data with Facebook without the knowledge of the user and that some log-in IDs and passwords were on sale on the dark web.

As a result of these allegations, a campaign was launched to show that Zoom video-conferencing solutions were unsafe. Media, which did not understand the depth of the problem, also painted a picture of Zoom being the only software where all security flaws were found and hence its use should be discontinued. Neither the media nor others presented any better alternative. Its Chinese ownership was also a reason for some to switch to other solutions.

It was unfortunate that the home ministry became a pawn in this game of one up-manship. As usual, a section of the media claimed that the home ministry had evaluated the Zoom application and was not in favour of its use from the security point of view. While the ministry’s concern about the use of Zoom for meetings of government officials was perhaps genuine, the unusual action of it coming up with a press release, including a set of “secure configuration guidelines” was strange. Though this notification was meant only for government departments, the media implied that it was a national security advisory. Normally, any such guidance should be the responsibility of the Ministry of Electronics and Information Technology (MeitY) and there was no need for the home ministry to step into its shoes and come up with operating guidelines on a subject in which it has no direct knowledge or expertise.

By the time this notification was released, Zoom had already attended to most of the concerns. It changed the default settings of the meetings to a higher security level and left it to the choice of the user to downgrade the security features. It also provided an option to the user to avoid servers in specific countries such as China.

Zoom bombings were due to the user’s negligence. Instructions were released to set a strong password, use the waiting room facility and to lock the meeting if needed. This could avoid unauthorised entries into the meetings. Zoom also clarified that personal data sharing with Facebook occurred because its software development kit (SDK) for log-in authentication collected information beyond the permissions required and granted. It appears to be a deliberate violation of privacy by Facebook, though there could be some negligence on the part of Zoom too.

The controversy regarding end-to-end encryption was more of semantics than anything else. Security experts say that if the encryption is not done at the application level and decrypted only at the destination, it cannot be considered as “end-to-end”. It is possible that the marketing personnel at Zoom called their encryption “end-to-end encryption” without recognising the difference.

However, most messaging services, including popular email ones, use only transport-level encryption and not the real end-to-end encryption. Even banks in India may not be using real end-to-end security. Hence, singling out Zoom for such a mistake is unfair.

Before the home ministry jumped into the fray, it should have realised that the problem with Zoom was both of technical interpretations and user awareness. It was not an issue of fraudulent intention. The ministry was not capable of understanding the nuances of technology and should have refrained from giving the impression that it was giving a technical advisory on Zoom.

Criticising Zoom without criticising Facebook for misusing the consent shows prejudice. Perhaps this should be investigated as the Facebook log-in SDK of the type used by Zoom may also be in wide use in India by others. In all such cases, there could be a siphoning off of personal data beyond what has been consented to by the user. The home ministry has not revealed that email providers also use only VPN security and not end-to-end security. If so, it would have placed the issues observed in Zoom usage in the right perspective.

If Zoom had installed any malware like some Chinese applications do, then the home ministry would have had a reason to issue such advisories. But it did not consider TikTok and UC Browser type applications for a ban. This could be due to their ignorance or pressure from certain business lobbies. It is also to be recognised that Zoom has been promoted by a person of Chinese origin but is not a Chinese company. It is a US company and the promoter is perhaps now a US citizen settled there.

The ministry should also have realised that Zoom as a company is not like telecom equipment suppliers like Huawei or Chinese mobile companies. Some of these companies have allegedly preinstalled malicious applications to bring users under surveillance of the Chinese government. Even point of sale systems used for card authentication at shops and biometric devices used for Aadhaar authentication are being imported from China and the ministry should worry if these have any hidden backdoors.

The ministry appears not to have heard about Deepfake and Deepnude applications which threaten society and could create huge problems. If it was watching the web world, it would have moved to block such apps along with voice-changing apps, Blue Whale or other gaming apps which require urgent attention. It has also remained silent when larger security issues arose when Bitcoin exchanges were allowed to resume their operations, unmindful of their use in possible terror funding.

By not coming out with advisories in such cases and over-reacting to the Zoom controversy, the ministry appears to have been used by industry in a commercial war between companies. In comparison, MeitY has responded positively to the incident by trying to encou­rage an indigenous replacement for the Zoom software. It has announced a prize of Rs 1 crore for this.

Naavi

(Link to the article in the magazine is here)