Video Conferencing Privacy

Video conferencing apps have become unprecedentedly popular globally in the midst of the COVID-19 pandemic. A number of security and privacy concerns about the apps have, however, been revisited, such as intruders displaying indecent contents during video conferences, attention tracking of users, sharing of users’ data with third parties without users’ consent, lack of end-to-end encryption and routing of video conference data through other places. How should one select and use these apps safely from a personal data privacy perspective?

The use of video conferencing apps has not been a hot topic until recent months, when the demand for video conferencing services skyrocketed resulting from the need for social distancing occasioned by the COVID-19 pandemic. According to one particular video conferencing app, its daily video conference participants rose from around 10 millions at the end of December 2019 to more than 300 millions in April 2020. Video conferencing apps are widely used for business meetings and online lessons, not to mention families and friends physically apart getting in touch virtually with one another. The surge in the number of amateur users, together with the ease and convenience to use, has expectedly created opportunities for bad actors to exploit the vulnerabilities of the apps, notably by disrupting video conferences with unbefitting contents. A report published on 30 April 2020 by Consumer Reports (an American non-profit consumer organisation) revealed that other privacy issues of video conferencing apps included collecting users’ data in video conferences for building users’ profiles and sharing users’ data with third parties. Cyberattacks including hacking and phishing remained the usual concerns. Reportedly some local tertiary education institutes and public authorities ceased using a popular video conferencing app as a result.

Functions and Measures

Functions and features provided by different video conferencing apps are similar, such as allowing users to (1) create a unique meeting ID and password for each video conference, (2) share screen and documents with other participants during a video conference, (3) record video conferences and (4) remove or mute participants by the hosts. Meanwhile, some privacy protection and security measures of the apps may differ. When choosing video conferencing apps, users should check whether the privacy protection and security measures provided by the app would be sufficient and adequate for their purposes. Some general safety measures include: (1) using end-to-end encryption, (2) choosing data centre locations, (3) providing a virtual waiting room to authenticate participants, (4) locking a meeting after all participants have joined, (5) controlling who may share screen and documents with others, and (6) using a virtual background or blurring the background during a meeting so that nothing in the background would reveal private information. Users should also review and understand the privacy policies and terms of use of the apps, which are set out as required by law, such as (1) with whom users’ data may be shared, (2) the intended uses of users’ data (eg profiling of the users and advertising), and (3) the retention period of users’ data. Users should review and understand, in particular, that the video conferencing providers would collect, use and disclose personal data from those who set up an account or participate in a video conference call. 

Due Diligence

When using video conferencing apps, the host is advised to deploy all available privacy protection and security measures. Other precautionary measures may include (1) disabling telephone dial-in, (2) disabling video recording functions, (3) disabling file transfer and allowing only the host to share screen, (4) disallowing participants to join a meeting before the host, (5) using and periodically updating a unique and complex password without repeating the same for a video conferencing account, and (6) avoiding announcing meetings on social media platforms or websites and (7) providing the meeting ID and passwords to the intended participants only. 

For participants of a video conference, they should (1) join the conference as guests without signing up for user accounts in order to reduce digital footprints. If signing up for user accounts is inevitable, they should (2) create new email addresses for registration and avoid using the same email addresses previously assigned for other more important matters, such as e-banking. The participants should also (3) turn off their cameras and microphones if they are not needed and (4) refrain from discussing unnecessary private information during a video conference. To prevent others from overhearing the conversation, (5) headphones should be used. (6) Voice-controlled smart home assistants should be turned off during a video conference to avoid accidentally triggering the recording function of the devices. 

If a web browser is used to conduct a video conference, (1) a new window should be opened for the conference and all other applications such as email should be closed to prevent inadvertently disclosure of information. As a matter of course, (2) only the most updated software or mobile app with the latest security features should be used. (3) News stories about the video conferencing app of choice should be followed for the latest security threats and software updates.

Privacy by Design

As a remedial step after a recent privacy and security saga, a popular video conferencing app has been committed to adopting more privacy friendly measures such as (1) removing the function of user attention tracking, (2) ceasing the sharing of users’ data with a social media company and (3) allowing a host to choose data centre regions for routing the data of the video conferences.

Video conferencing apps and their vulnerabilities are classic examples demonstrating the importance of privacy by design and security by design. If app developers and service providers had identified and addressed all the privacy and security issues before they launched their services, it could have saved all the subsequent hassles. Transparency and explainability are pivotal. Similarly, if organisations explained fully and clearly in a language that a person in the streets of Mong Kok would understand how they used and protected his data, it would certainly gain users’ trust and confidence. For guidance on Privacy by Design, PCPD and the Personal Data Protection Commission of Singapore jointly published the “Guide to Data Protection by Design for ICT Systems” (https://www.pcpd.org.hk//english/resources_centre/publications/files/Guide_to_DPbD4ICTSystems_May2019.pdf).

To be fair, some of the video conferencing apps were not designed for meetings with confidential information or sensitive content. While convenience and user-friendliness of the apps are appealing, particularly given the very difficult face-to-face communications during the hard times of the COVID-19 pandemic, users and app developers must exercise vigilance and respect for privacy protection in order to minimise possible intrusion into privacy and prevent leakage of sensitive data.

While individuals remain vigilant, organisations should emphasise a culture of cybersecurity and compliance with the law, as well as accountability and data ethics. Given the potential personal data risks of video conferencing services, organisations and consumers are encouraged to adopt the suggestions and practices developed by PCPD (www.pcpd.org.hk). One may be minded to know what US National Security Agency had to say about “Selecting and Safely Using Collaboration Services for Telework” where an initial assessment of how 13 available commercial collaboration services would satisfy their security criteria was also made (https://media.defense.gov/2020/Apr/24/2002288653/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-SHORT-FINAL.PDF).

– Stephen Kai-yi WONG, Barrister, 
Privacy Commissioner for Personal Data, 
Hong Kong

Jurisdictions: 

Barrister, Privacy Commissioner for Personal Data, Hong Kong