While the availability of video-conferencing technology has proven to be a boon for many given the challenges of working remotely during the COVID-19 pandemic, the use of such technology is not without privacy and security risks. Unfortunately some users have fallen victim to so-called “zoom bombing” or “zoom raiding” incidents whereby their business meetings were hijacked by Internet trolls or hackers that inserted racist, anti-Semitic, sexist, and/or profane imagery on their screens and chat boxes or otherwise disrupted their audio feeds. Many video teleconferencing platform providers were seemingly caught unawares, scrambling to shore up their security settings by hastily releasing updates in order to patch critical vulnerabilities and convince users that they could continue online collaboration safely without fear of unwanted intruders.
Global privacy regulators have taken notice of the headlines and spectacular stories of security flaws, and, in response on July 21, 2020, the Office of the Privacy Commissioner of Canada, along with five other data protection and privacy authorities (The U.K. Information Commissioner’s Office, The Office of the Australian Information Commissioner, The Gibraltar Regulatory Authority, The Office of the Privacy Commissioner for Personal Data, Hong Kong, China, and The Federal Data Protection and Information Commissioner of Switzerland)(“Privacy Regulators”), published an open letter (“Letter”) to companies offering video teleconferencing services (“VTC”) reminding them of their legal obligations to handle people’s personal information responsibly. The Letter is intended for all companies that offer video conferencing services, and it has also been sent directly to Microsoft, Cisco, Zoom, House Party and Google.
The Letter plainly states that its purpose is to set out the Privacy Regulators’ concerns and clarify their expectations and the steps they should be taking as VTC companies to mitigate the identified risks and ultimately “ensure that our citizens’ personal information is safeguarded in line with public expectations and protected from any harm.” It then proceeds to provide a non-exhaustive list of the data protection and privacy issues associated with VTC services. The Letter identified various key principles that should guide VTC companies, as set out below.
Security. Not surprisingly, security is listed as the Privacy Regulators’ premier concern. Security is a “dynamic responsibility,” and security vigilance by VTC organizations is paramount. The Privacy Regulators acknowledged the worrying reports of security flaws in the VTC products leading to unauthorized access to accounts, shared files, and calls and called for minimum standard safeguards to be deployed, including effective end-to-end encryption for all data communicated, two-factor authentication, and strong passwords. This will be especially important for VTC platforms in certain sectors that routinely process sensitive information, such as hospitals providing remote medical consultations and online therapists, or where the VTC service allows sharing of files and other media, in addition to the video/audio feed.
The Privacy Regulators also expect VTC providers to stay current, remain constantly aware of new security risks and threats to their VTC platforms, and “be agile in your response to them.” Users of the platforms should be routinely required to upgrade the version of the app they have installed, to ensure that they are up-to-date with the latest patches and security upgrades. Additionally, all information must be adequately protected when processed by third-parties, including in other countries.
Privacy-by-design and default. Consistent with the Canadian “privacy by design” approach to data protection and security, the Privacy Regulators note that data protection and privacy should be “baked into” VTC services—if they are mere afterthoughts in the design and user experience of a VTC platform, then there is a greater likelihood of failure that leads to “well documented accounts of unexpected third-party intrusion to calls.”
Accordingly, VTC companies should be taking a privacy-by-design approach to VTC platforms, making data protection and privacy integral to the services provided to customers. Practically, this means that the most privacy-friendly settings should be the default (similar to the principle of least privilege in cyber security). Settings should be prominent and easy to use (including implementing strong access controls as the default, clearly announcing new callers, and setting video/audio feeds as mute on entry); applying features that allow business users to comply with their own privacy obligations (including features that enable them to seek other users’ consent); and minimizing personal information or data captured, used, and disclosed by the product to only that information absolutely necessary to provide the service. Additionally, VTC providers should also undertake privacy impact assessments to identify the impact of their personal information handling practices on the privacy of individuals, and implement strategies to manage, minimize, or eliminate these risks.
Know your audience. The Privacy Regulators acknowledged that during the Covid-19 pandemic many of the VTC platforms were being used in ways for which they were not originally designed, creating unanticipated risks. Therefore VTC companies should now be reviewing the new and different environments and users of their platforms, in order to better understand and identify children, vulnerable groups, and contexts where discussions on calls are likely to be especially sensitive (in education and healthcare, for example), or when operating in jurisdictions where human rights and civil liberty issues might create additional risk to individuals engaging with the VTC services. As a follow-up step, VTC companies should assess the necessary data protection and privacy and requirements for all contexts in which their platforms are now being used, and implement appropriate measures and safeguards accordingly.
Transparency and fairness. As a result of several high-profile privacy breaches in recent years, the Privacy Regulators note that global audiences now have heightened community awareness (and expectations) regarding how companies should appropriately handle their personal information and use their data. VTC companies who fail to tell their customers how they use their information, or use the information unfairly or unreasonably, may therefore be in violation of the law in addition to forfeiting the trust of their users.
Accordingly, providers of VTC services should be up-front about what information they collect, how they use it, with whom they share it (including processors in other countries), and why. This is particularly relevant should the VTC do something with the user data that is not expected because it would not be seen as a core purpose of the VTC service. Such disclosure should be provided proactively, be easily accessible, and not simply buried in a privacy policy. Where express user consent regarding the handling of personal information is required, VTC providers should also ensure that such consent is specific and informed. VTC providers should also assess the impact any future changes to the VTC platforms will have and whether users should be made aware of these changes in order to ensure users can make informed decisions about how they use the platform going forward.
End-user control. While practically speaking end-users may often have little choice about the particular use of a VTC platform if their organization has already chosen to use or purchase a specific VTC service, users should be aware that some features of particular VTC platforms may raise the risk of covert or unexpected monitoring and should be better informed (and have more control) over these processes.
For example, users must understand if a VTC platform allows the host to collect their location data, track their engagement or the attention of participants generally, or record or create transcripts of calls. Ideally this is communicated to users through icons, pop-ups, or other measures, not just buried somewhere in the platform’s terms. Where possible, VTC companies should also include a mechanism for end-users to choose not to share that information, i.e. via opt-out, noting that opt-in mechanisms might be more appropriate in certain instances.
Conclusion. While it is clear that the Privacy Regulators recognize the value and importance of the services offered by VTC companies during the COVID-19 pandemic, the Letter reiterates that such solutions must not come at the expense of people’s data protection and privacy rights. Focusing on the key areas identified in the Letter will help VTC companies not only comply with applicable data protection and privacy laws but help build the trust and confidence of their customers and user base. The Privacy Regulators concluded the Letter by welcoming responses from VTC companies by September 30, 2020, asking them to demonstrate how they are taking these principles into account in the design and delivery of their services. Responses will be shared amongst the joint signatories to this letter. It remains to be seen whether the various VTC companies will take up the challenge posed by the Privacy Regulators.
Lisa R. Lifshitz
