The COVID-19 pandemic has brought unprecedented technological challenges, particularly our engagement with others through technology.  Platforms such as, Zoom, Microsoft Teams, Cisco Webex, Google Hangouts Meet, Skype and BlueJeans have become increasingly popular worldwide among businesses and individuals.

The global pandemic has changed the vast majority of the population’s behaviour patterns, particularly the manner in which we work.  From flexible working arrangements now implemented as part of businesses policies, to the newly coined abbreviation “WFH”, its evident how the business world has changed from this remote working standpoint.

Despite the opportunities and benefits that have emerged from these digital solutions, such as the increasing volume of users and ease of virtual meetings, and the driving stock prices for video conferencing companies, so too have privacy risks and surrounding security issues increased.  Recent trends show accelerated growth in the risks associated with collection and use of individuals’ and companies’ personal information.


PRIVACY RISKS

As witnessed from the 2020 Zoom boom, video teleconferencing provides an incredibly valuable service for businesses whose staff are working from home or individuals that wish to stay connected to family.  However, this ease of digital connection has come at the potential expense of users’ data protection and privacy rights.

Who is in your room?

Zoom and other video conferencing platforms have suffered serious security issues where hackers have gained access to private meetings allowing other users to be forced into meetings without their knowledge or control (who could forget Hamish Blake’s ‘Zoom for One More’ antics).

Risks arise because:

  • some platforms, such as Zoom, use randomly generated ID numbers for users to access meetings, with passwords being optional.  This allows anyone to enter the meeting that has access to the code;
  • some platforms configure private conferencing rooms in a way that is easy to guess, provided you know the name of the company and the person’s name; and
  • there is a lack of control around access to meetings that allows other users to gain access to a meeting they are not a participant in.

What exactly are you sharing?

Further, when considering video conferencing companies’ terms and conditions closely, it appears that some of these platforms are collecting large amounts of data to enhance their own systems and provide useful features for users.  For example, during a scheduled meeting, Zoom actively collects audio recordings and text transcriptions, network information and detailed monitoring of what users are viewing on their screen (with the stated use of this data being to provide the services, communicate with customers and provide support).

The increasing concern with these video conferencing platforms is the privacy implications where personal information is collected without consent from its users.  Zoom’s privacy policy outlines that by merely using the service, regardless if attendees have an account or not, personal information will be collected.  This includes:

  • the use of ‘attendee tracking’ on various platforms which allows meeting hosts to track whether participants are viewing other windows on their computer during a meeting (no more glancing at the news headlines during your weekly WIP meeting);
  • being aware of any sensitive or confidential information that is being shared via the ‘share screen’ function on video conferencing platforms;
  • being aware that not all video conferencing apps can guarantee end-to-end encryption for its meetings;
  • the risks that can arise from users not regularly updating their video conferencing software.  This is vital as often updates address security vulnerabilities in the software; and
  • understanding that deleting a video conferencing app from your device does not necessarily prevent your data from being accessed.

It is essential with the increasing shift to remote working that users are aware of the privacy risks and are cautious to ensure online platforms are secure and their use of those platforms is secure.

So what should you be doing?

  • Do your due diligence before choosing your primary video conferencing platform.  Considerations should include:
    • reviewing key provisions in each video conferencing platform’s privacy policy and terms and conditions to understand how your information will be handled.  For example, what information is being collected about you?  Does the privacy policy limit the platform from using your information for purposes other than providing its service?  Does the conferencing service share your information with advertisers or with other third parties?  If data (such as files or messages) are shared during a conference, what happens to that material following the conference?  What plans and protocols does the provider have in place if there is a data breach?
    • the sorts of practical controls you can implement to prevent unintended access to your conferences and data.  This may include things such as requirements for participants to enter passwords, display the phone number/email address that participants use to dial in; and lock rooms once conferences have started so that additional participants can only join with permission;
    • the provider’s offerings around support services (and their track record for meeting those commitments); and
    • other relevant business considerations such as whether there are limitations around the platforms which your key clients or suppliers can use.  For example, some government bodies are restricted to certain platforms on the basis of security concerns, so to the extent you frequently have conferences with those clients or suppliers, it may be beneficial to use the same platforms as they do;
  • Once you have chosen your primary platform, take advantage of tools that attracted you to the solution, such as those that limit access to meetings.  For example, enabling the ‘waiting room’ function to control access to participants entering the meeting or features that require users to generate unique conferencing codes (rather than sharing their ‘personal room’ details) and passwords if external participants are being invited;
  • Take a roll-call: check who has dialled into your conference.  If you do not recognise a name or number, ask who it is (and keep an eye and ear out for additional participants as the conference progresses).  Although, as with traditional teleconferences, you never quite know who else is in the background;
  • Communicate the importance of confidentiality when conducting meetings with external parties who may not be as accustomed to confidentiality concerns as your business is;
  • Ensure that any information shared during the ‘share screen’ function excludes any sensitive or confidential information;
  • In the event of the meeting being recorded, ensure all participants are aware and have consented to the content being recorded.  For example, Microsoft Teams displays a banner at the top of the viewing window which states “Recording has started.  This meeting is being recorded.  By joining, you are giving consent for this meeting to be recorded.”  The companies’ privacy policy is also hyperlinked in the display banner;
  • If certain types of video conferencing (e.g. to discuss particularly sensitive information) are only permissible among people within an organisation, consider whether the platform can only be used on company devices rather than ‘bring your own devices’ such as personal phones; and
  • Update your internal policies and procedures to deal with the increased use of video conferencing platforms, including what you would do if there is a data breach, unauthorised attendee or an accidental disclosure of a document.


REFORM AND WHAT’S NEXT?

Now that the world has accepted “WFH” is here to stay and employees continue to demand flexible working arrangements, privacy authorities worldwide have been working together to look at data protection issues associated with video teleconferencing platforms.  As a result, six of the world’s privacy commissioners, including the Office of the Australian Information Commissioner have published an open letter to video teleconferencing companies to apply vigilance to their privacy obligations for the users of these platforms, ensuring compliance in handling their users personal information.  The letter provides video teleconferencing companies with guidance in addressing some of the fundamental privacy risks and makes recommendations for ensuring personal information is being adequately protected.  The open letter is directed at all video conferencing companies, and was sent directly to Microsoft, Cisco, Zoom, House Party and Google.

Further, the overriding conclusion of the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry Report, which examined the impact of digital platforms, is the need for reform in Australia.  The ACCC has recommended changes to the Privacy Act 1988 (Cth) (Privacy Act), such as imposing higher standards for consent and privacy notices.  On the basis of the Digital Platforms Inquiry Report, the Australian Government has agreed to conduct a general review of the Privacy Act, focusing on ensuring the protection of personal information and data.


KEY TAKEAWAYS

Since the recent escalation of remote working and increased video conferencing, it is important that the privacy policies of the platforms being used are understood, enabling users to utilise security features and ensuring end-to-end encryption is maintained.

Keep the risks, and suggested mitigation strategies outlined above, in mind.  However, if confidentiality is critical, understand that video conferencing may not be the best option and that a traditional face-to-face meeting (restrictions allowing) may be the most secure option.

Special thanks to Emily Stone, Lawyer for her assistance in putting this article together.