Regulators urge video conferencing firms to review security procedures

Six data authorities send an open letter to the industry, suggesting the COVID-19 pandemic has given rise to new risks

Data protection authorities from across the world have urged video conferencing providers like Zoom and Microsoft to review their privacy, security and data protection policies.

In the wake of many more individuals relying on video conferencing during the COVID-19 pandemic, six data regulators, including the Information Commissioner’s Office (ICO), have set out several principles these firms should dwell on.

Since countries were thrust into lockdown, people have looked to the likes of Zoom and Microsoft Teams, Google Hangouts and Skype, among others, to maintain normality and stay connected in their personal and professional lives.

These companies have been told to urgently review security, privacy-by-design and default, which audiences are using their services, how transparent these companies are over data incidents, and how much control end-users retain.

“We recognise that VTC companies offer a valuable service allowing us all to stay connected regardless of where we are in the world,” the open letter said. It has been co-signed by regulators from the UK, Canada, Hong Kong, Switzerland, Australia and Gibraltar. 

“But ease of staying in touch must not come at the expense of people’s data protection and privacy rights. The principles in this open letter set out some of the key areas to focus on to ensure that your VTC offering is not only compliant with data protection and privacy law around the world, but also helps build the trust and confidence of your userbase.”

Zoom, in particular, has been at the centre of a series of high-profile security shortcomings since it rose to prominence at the start of lockdown several months ago. These issues even led to a handful of organisations and national governments banning use of the platform for video communications. 

The company would argue that it’s well on-course to rectifying these security and privacy shortcomings, taking several measures including rolling out end-to-end encryption and adding server routing controls.

Nevertheless, the six data authorities want companies like Zoom to write back by 30 September to demonstrate how it is taking the principles outlined into account in the design and delivery of their services.

In terms of security, the authorities claim to have observed some worrying reports of security flaws that have led to the unauthorized access of personal data. Security measures, therefore, should be given extra consideration, with providers constantly aware of new security risks and threats. 

One measure they can implement is requiring users to regularly update their platforms to the latest version and reviewing how information is processed by third-parties, including in countries abroad.

Privacy-by-design, meanwhile, should be implemented by adopting the most privacy-friendly settings for users by default, effectively erring on the side of caution. Some examples include clearly announcing new callers and setting video and audio feeds to ‘muted’ on entry.

That video conferencing has become vastly more widespread also means there are many examples of groups and individuals using services that weren’t originally designed for them. This may create new risks, the regulators say. One perfect example of this is Zoom being used for remote teaching, which gave rise to the ‘Zoombombing’ phenomenon.

An ICO spokesperson said: “We expect to receive responses to the open letter from the five VTC companies to which it was sent directly. We invite VTC companies to demonstrate and explain how they are taking steps towards providing more privacy-focused VTC solutions, and compliance with global privacy expectations. Should concerns remain, the signatories will engage with the VTC companies to support them in their understanding and implementation of the principles in the letter. The signatories all have an overarching objective to ensure the personal data of their respective citizens are handled safely and in compliance with the laws they regulate. The principles set out should promote the safe handling of personal data and, where we receive evidence that this is not the case, we can use this to inform our regulatory decision making.”

An ICO spokesperson said: “We expect to receive responses to the open letter from the five VTC companies to which it was sent directly. We invite VTC companies to demonstrate and explain how they are taking steps towards providing more privacy-focused VTC solutions, and compliance with global privacy expectations. Should concerns remain, the signatories will engage with the VTC companies to support them in their understanding and implementation of the principles in the letter. The signatories all have an overarching objective to ensure the personal data of their respective citizens are handled safely and in compliance with the laws they regulate. The principles set out should promote the safe handling of personal data and, where we receive evidence that this is not the case, we can use this to inform our regulatory decision making.”

“We expect to receive responses to the open letter from the five VTC companies to which it was sent directly. We invite VTC companies to demonstrate and explain how they are taking steps towards providing more privacy-focused VTC solutions, and compliance with global privacy expectations," an ICO spokesperson told IT Pro.

"Should concerns remain, the signatories will engage with the VTC companies to support them in their understanding and implementation of the principles in the letter. The signatories all have an overarching objective to ensure the personal data of their respective citizens are handled safely and in compliance with the laws they regulate.

"The principles set out should promote the safe handling of personal data and, where we receive evidence that this is not the case, we can use this to inform our regulatory decision making.”

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Most Popular

The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020