Regulators urge video conferencing firms to review security procedures

people sitting at a meeting room table watching video conference screen
Video conferencing established in a workplace

Data protection authorities from across the world have urged video conferencing providers like Zoom and Microsoft to review their privacy, security and data protection policies.

In the wake of many more individuals relying on video conferencing during the COVID-19 pandemic, six data regulators, including the Information Commissioner’s Office (ICO), have set out several principles these firms should dwell on.

Since countries were thrust into lockdown, people have looked to the likes of Zoom and Microsoft Teams, Google Hangouts and Skype, among others, to maintain normality and stay connected in their personal and professional lives.

These companies have been told to urgently review security, privacy-by-design and default, which audiences are using their services, how transparent these companies are over data incidents, and how much control end-users retain.

“We recognise that VTC companies offer a valuable service allowing us all to stay connected regardless of where we are in the world,” the open letter said. It has been co-signed by regulators from the UK, Canada, Hong Kong, Switzerland, Australia and Gibraltar.

“But ease of staying in touch must not come at the expense of people’s data protection and privacy rights. The principles in this open letter set out some of the key areas to focus on to ensure that your VTC offering is not only compliant with data protection and privacy law around the world, but also helps build the trust and confidence of your userbase.”

Zoom, in particular, has been at the centre of a series of high-profile security shortcomings since it rose to prominence at the start of lockdown several months ago. These issues even led to a handful of organisations and national governments banning use of the platform for video communications.

The company would argue that it’s well on-course to rectifying these security and privacy shortcomings, taking several measures including rolling out end-to-end encryption and adding server routing controls.

Nevertheless, the six data authorities want companies like Zoom to write back by 30 September to demonstrate how it is taking the principles outlined into account in the design and delivery of their services.

In terms of security, the authorities claim to have observed some worrying reports of security flaws that have led to the unauthorized access of personal data. Security measures, therefore, should be given extra consideration, with providers constantly aware of new security risks and threats.

One measure they can implement is requiring users to regularly update their platforms to the latest version and reviewing how information is processed by third-parties, including in countries abroad.

Privacy-by-design, meanwhile, should be implemented by adopting the most privacy-friendly settings for users by default, effectively erring on the side of caution. Some examples include clearly announcing new callers and setting video and audio feeds to ‘muted’ on entry.

That video conferencing has become vastly more widespread also means there are many examples of groups and individuals using services that weren’t originally designed for them. This may create new risks, the regulators say. One perfect example of this is Zoom being used for remote teaching, which gave rise to the ‘Zoombombing’ phenomenon.

An ICO spokesperson said: “We expect to receive responses to the open letter from the five VTC companies to which it was sent directly. We invite VTC companies to demonstrate and explain how they are taking steps towards providing more privacy-focused VTC solutions, and compliance with global privacy expectations. Should concerns remain, the signatories will engage with the VTC companies to support them in their understanding and implementation of the principles in the letter. The signatories all have an overarching objective to ensure the personal data of their respective citizens are handled safely and in compliance with the laws they regulate. The principles set out should promote the safe handling of personal data and, where we receive evidence that this is not the case, we can use this to inform our regulatory decision making.”

An ICO spokesperson said: “We expect to receive responses to the open letter from the five VTC companies to which it was sent directly. We invite VTC companies to demonstrate and explain how they are taking steps towards providing more privacy-focused VTC solutions, and compliance with global privacy expectations. Should concerns remain, the signatories will engage with the VTC companies to support them in their understanding and implementation of the principles in the letter. The signatories all have an overarching objective to ensure the personal data of their respective citizens are handled safely and in compliance with the laws they regulate. The principles set out should promote the safe handling of personal data and, where we receive evidence that this is not the case, we can use this to inform our regulatory decision making.”

“We expect to receive responses to the open letter from the five VTC companies to which it was sent directly. We invite VTC companies to demonstrate and explain how they are taking steps towards providing more privacy-focused VTC solutions, and compliance with global privacy expectations," an ICO spokesperson told IT Pro.

"Should concerns remain, the signatories will engage with the VTC companies to support them in their understanding and implementation of the principles in the letter. The signatories all have an overarching objective to ensure the personal data of their respective citizens are handled safely and in compliance with the laws they regulate.

"The principles set out should promote the safe handling of personal data and, where we receive evidence that this is not the case, we can use this to inform our regulatory decision making.”

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.