Regulators urge video conferencing firms to review security procedures

Six data authorities send an open letter to the industry, suggesting the COVID-19 pandemic has given rise to new risks

Data protection authorities from across the world have urged video conferencing providers like Zoom and Microsoft to review their privacy, security and data protection policies.

In the wake of many more individuals relying on video conferencing during the COVID-19 pandemic, six data regulators, including the Information Commissioner’s Office (ICO), have set out several principles these firms should dwell on.

Since countries were thrust into lockdown, people have looked to the likes of Zoom and Microsoft Teams, Google Hangouts and Skype, among others, to maintain normality and stay connected in their personal and professional lives.

These companies have been told to urgently review security, privacy-by-design and default, which audiences are using their services, how transparent these companies are over data incidents, and how much control end-users retain.

“We recognise that VTC companies offer a valuable service allowing us all to stay connected regardless of where we are in the world,” the open letter said. It has been co-signed by regulators from the UK, Canada, Hong Kong, Switzerland, Australia and Gibraltar. 

“But ease of staying in touch must not come at the expense of people’s data protection and privacy rights. The principles in this open letter set out some of the key areas to focus on to ensure that your VTC offering is not only compliant with data protection and privacy law around the world, but also helps build the trust and confidence of your userbase.”

Zoom, in particular, has been at the centre of a series of high-profile security shortcomings since it rose to prominence at the start of lockdown several months ago. These issues even led to a handful of organisations and national governments banning use of the platform for video communications. 

The company would argue that it’s well on-course to rectifying these security and privacy shortcomings, taking several measures including rolling out end-to-end encryption and adding server routing controls.

Nevertheless, the six data authorities want companies like Zoom to write back by 30 September to demonstrate how it is taking the principles outlined into account in the design and delivery of their services.

In terms of security, the authorities claim to have observed some worrying reports of security flaws that have led to the unauthorized access of personal data. Security measures, therefore, should be given extra consideration, with providers constantly aware of new security risks and threats. 

One measure they can implement is requiring users to regularly update their platforms to the latest version and reviewing how information is processed by third-parties, including in countries abroad.

Privacy-by-design, meanwhile, should be implemented by adopting the most privacy-friendly settings for users by default, effectively erring on the side of caution. Some examples include clearly announcing new callers and setting video and audio feeds to ‘muted’ on entry.

That video conferencing has become vastly more widespread also means there are many examples of groups and individuals using services that weren’t originally designed for them. This may create new risks, the regulators say. One perfect example of this is Zoom being used for remote teaching, which gave rise to the ‘Zoombombing’ phenomenon.

An ICO spokesperson said: “We expect to receive responses to the open letter from the five VTC companies to which it was sent directly. We invite VTC companies to demonstrate and explain how they are taking steps towards providing more privacy-focused VTC solutions, and compliance with global privacy expectations. Should concerns remain, the signatories will engage with the VTC companies to support them in their understanding and implementation of the principles in the letter. The signatories all have an overarching objective to ensure the personal data of their respective citizens are handled safely and in compliance with the laws they regulate. The principles set out should promote the safe handling of personal data and, where we receive evidence that this is not the case, we can use this to inform our regulatory decision making.”

An ICO spokesperson said: “We expect to receive responses to the open letter from the five VTC companies to which it was sent directly. We invite VTC companies to demonstrate and explain how they are taking steps towards providing more privacy-focused VTC solutions, and compliance with global privacy expectations. Should concerns remain, the signatories will engage with the VTC companies to support them in their understanding and implementation of the principles in the letter. The signatories all have an overarching objective to ensure the personal data of their respective citizens are handled safely and in compliance with the laws they regulate. The principles set out should promote the safe handling of personal data and, where we receive evidence that this is not the case, we can use this to inform our regulatory decision making.”

“We expect to receive responses to the open letter from the five VTC companies to which it was sent directly. We invite VTC companies to demonstrate and explain how they are taking steps towards providing more privacy-focused VTC solutions, and compliance with global privacy expectations," an ICO spokesperson told IT Pro.

"Should concerns remain, the signatories will engage with the VTC companies to support them in their understanding and implementation of the principles in the letter. The signatories all have an overarching objective to ensure the personal data of their respective citizens are handled safely and in compliance with the laws they regulate.

"The principles set out should promote the safe handling of personal data and, where we receive evidence that this is not the case, we can use this to inform our regulatory decision making.”

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021