The Legal Arc Volume 1 Issue 1 Articles
Anushka Bhardwaj is a second-year law student at NMIMS Kirit P. Mehta School of Law, Mumbai. Her area of research interest is (cyber) Constitutional Law.
Rashi Goel is a second-year law student at NMIMS Kirit P. Mehta School of Law, Mumbai. Her area of research interest is cyberlaw.
Michel Foucault’s panopticon penitentiary has been an esteemed surveillance model in academic circles. It allows a monitor to observe every prisoner in a penitentiary from a central tower. Monitors did not always see an inmate but they could at any time, without being noticed by the inmate. The panoptic setup was based on Bentham’s principle of power which reads as follows: “Power should be visible and unverifiable”. This renders the inmate in a state of permanent consciousness and visibility hence assuring the automatic functioning of power.
Social media or any form of internet data mining is deemed analogous to a panopticon. The users are economically and politically alienated by stripping them off standard rights to participate in the decision-making process of how their data is utilized to supposedly benefit them. Similar to a panopticon in information society, one is seen without seeing and the observer sees everything without being seen. It leads to concentration of power since the number of people who exercise the power is reduced and the number of those on whom it is exercised increases manifolds. Furthermore, its strength is that a panopticon never intervenes and exercises clandestinely.
In such a setup, power is reduced to its absolute form. In an information society, users are trapped in an ingenious cruel cage where the idea of foregoing technical means of communication and interaction threatens them with isolation and social disadvantages. Surveillance of any kind infringes on the principles of right to privacy, and the right to be left alone, especially surveillance by private bodies.
Clearview AI (“Clearview”) is an American technology company that uses facial recognition to purportedly help investigate crimes. The company has a database of billions of pictures of people scraped from a multitude of websites like social media networks, online journalism, etc. It claims to provide law enforcement agencies an access to this database for investigation of criminal prosecution.
The primary contention with Clearview’s arbitrary profiling of people is the blatant infringement of the latter’s right to privacy, right to personal security, and the right to be left alone. The application (“App”) collects data belonging to all individuals indiscriminately. Impressively egalitarian in its approach, what the company does not take into account is that these people whose data is being scraped for no discernible purpose, are innocent individuals. These people are unknowingly, without their permission, under the surveillance of a private organisation who has no authority over the subject matter. The data processing beyond being non-consensual is also unethical and illegal.
The app’s claim that it only shares data with law enforcement systems is as spurious as its data sharing procedure is unaccountable. A leaked client list reveals that the clientele of the impugned company, apart from including law enforcement agencies such as the FBI and Interpol, includes non-law enforcement outfits as well. Several companies like Walmart, Macy’s, Busy Buy, the NBA, and college security departments have access to the technology.
To gather clientele, Clearview is not only providing access to these organizations or actual executive agencies but to individuals within these organizations without being in unison with the management of these organizations.
The global outbreak of a novel Coronavirus, SARS COV-n2 causing COVID-19, has led to industries around the world transitioning to teleworking, or work from home (“WFH”) modes. Naturally, such a transition requires robust online platforms to accommodate such a shift. A host of online audio-visual, multi-party streaming platforms provided for digital offices, boardrooms, classrooms, and courtrooms.
The Case of Zoom
Of them, Zoom Video Communications with their platform, Zoom, rose to mainstream prominence. Espousing the versatility of their platform, Zoom promises effective remote working, education, hosting virtual events, and telehealth over its platform. However, in light of the astronomic rise of Zoom, its history and its future cannot be ignored.
“Hosts can see an indicator in the participant panel of a meeting or webinar if an attendee does not have Zoom Desktop Client or Mobile App in focus for more than 30 seconds while someone is sharing a screen. In focus means the user has the Zoom meeting view open and active”, reports Zoom’s Help Centre. This feature has since been removed.
The old policy explicitly clarifies that yes, Zoom does collect identifiable personal data, regardless of if the user has a Zoom account; from either the user themselves, or any other host, participant or caller. Furthermore, the old policy states that personal data is collected by third-parties as well, and that logging in using a third-party application allows access to personal data.
In addition to the aforementioned breaches, the old policy permits passive collection of data without the explicit permission of the user. The old policy admits to allowing the data collected to be used for targeted advertisements. Subsequent to the rather cheeky “Depends what you mean by sell”, the old policy states that “Standard Advertising Tools” are used to improve user experiences, i.e. “serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services”. Shockingly, the old policy admits that their data use may constitute sale in some legal sense of the word, and that the same is permissible as that is the historical mode of operation of advertisements.
The old policy is silent on the matter of data sent to Facebook, yet the iOS app sends data to Facebook regardless of whether the user has a Facebook account. Data items, such as when the user opens the app, details on the user’s device, such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements are sent to Facebook.
Reacting to the bad press about the platform, Zoom made “improvements to Facebook login”. In addition, in the following 2 days, Zoom deleted the code (“Facebook SDK”) that allowed Facebook to access data.
Zoom meetings do not have end-to-end encryption, in spite of contrary claims in its security white paper. Instead, Zoom employs transport encryption, which allows Zoom to access all contents of the meeting. Zoom has been accused of leaking personal information, including their email address and photo(s), due to issues in Zoom’s company directory setting. The directory adds all users with similar email domains to a common company directory under the assumption that each email corresponds to an employee in a common company. However, thousands of Zoom users registered with their personal emails have had their data leaked due to this. Zoom claims that the company directory lists users in the same organisation, either using the same account or the same email domain.
Furthermore, Zoom deflects the liability for the controversial ‘Attention Tracker’ feature on the hosts of meetings. Finally, the new policy definitively answers the same question of “Does Zoom sell Personal Data?” with “We do not sell your data.” However, it maintains the same caveat of its data use being considered as ‘Sale’ under the supposedly broad ambits of statutes such as the CCPA, and that the definition is contrariwise to traditional advertisement practices.
THE FUTURE OF DATA PROTECTION
In light of its privacy conundrums, Zoom is under scrutiny by the office of New York’s Attorney General, Letitia James. The office inquired about Zoom’s security measures by letter on March 30, 2020.
As a consequence of its prima facie questionable conduct, Clearview is under fire. Technology giants the likes of Facebook have initiated litigation against Clearview. Google; its subsidiaries YouTube, Twitter, and Facebook have issued cease and desist notices against Clearview to cease data scraping. To that, the CEO of Clearview, Hoan Ton-That has claimed that Clearview has a First Amendment right to collect data in the public domain.
GDPR limits the processing of personal data relating to criminal convictions and offences to official authorities. At present, the USA lacks a federal privacy law. Regardless, the authorities are taking action against Clearview’s conduct. To that end, New Jersey has barred its police department from using Clearview and the Office of Attorney General of New Jersey, Gurbir Grewal sent Clearview a cease-and-desist letter as well, particularly disturbed by the company’s collection and sale of children’s facial recognition data. Citizens of Illinois have also filed a class action lawsuit against Clearview, outraged at the collection of their biometric data without their permission.
 Michel Foucault, Discipline and Punish, 201 (2nd ed., 1995).
 Ibid. 203.
 Ibid. 206.
 Ibid. 205.
 “Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.” US Constitution (1st Amendment).