How to mitigate the privacy issues of video conferencing platforms

The raise of video conferencing during Covid-19 crisis

A blessing in these uncertain times of social distancing is the ability to stay in touch with family, colleagues and clients through video conferencing apps. According to the latest statistics from App Annie, due to Covid-19, business conferencing apps have experienced record growth as they reached 62 million downloads during the third week of March 2020.

Video conferencing apps in the spotlight

Zoom and HouseParty have recently been in the spotlight due to privacy concerns. The former is used by organisations all over the world and it is facing now significant challenges in terms of data protection and cybersecurity, especially since the New York's Attorney General has questioned whether user privacy is sufficiently protected. Indeed, numerous users have cited the "Zoombombing" phenomenon, which consists of uninvited users joining private conference rooms to disturb the participants. Consequently, Zoom has publicly apologised about the platform's issues and has promised that they will work over the next coming weeks to make it right.

The security levels of HouseParty has also been under scrutiny with media reports citing numerous users who have claimed that security issues on the app have enabled fraudsters to access their accounts on other apps such as Spotify and that their emails and even bank accounts have been hacked. However, HouseParty have stated that there is no evidence of their systems being affected by any data breach and have even offered a $1 million bounty to the first person who can provide proof that they are the victim of a smear campaign. So, it will be necessary to see how his case evolves.

Mistakes that put your privacy at risk

Some common mistakes that can put your privacy rights at risks include:

· Not turning off the web camera when the system is not in use and not turning off the microphones after finishing the video conference.

· Making the directories public.

· Not using passwords to protect the system without preventing unauthorized users from accessing them.

Mitigating risks

The Irish Data Protection Commission published some tips to help not only individuals but also organisations to use video conferencing platforms in a safe manner:

As an individual you should:

· Software: Keep the software of the videoconferencing systems updated as well as antivirus updates.

· Choose the right too l: Prior using videoconferencing tools, do some research on them and use those platforms and service providers you know and trust and avoid using those ones which haven't been vetted by your employer. Take some time to read over the service's data protection policy to be aware of the purposes your personal data will be used for, who your data is being shared with and where it will be stored or processed, amongst other information. Take time to understand it before accepting the conditions to use the videoconferencing tool. In addition, if the information provided by the service supplier is not transparent or clear, you may want to take further steps, or consider another service.

· Location: Another important aspect to consider is to ensure your device is used in a safe location and that you disable desktop sharing and video reception by default when you leave the videocall or take a break.

· Privacy: keep in mind the data protection and privacy rights of others before you post or share a picture or video of a video-call that contains their data such as image, voice, or contact details.

As an organisation:

· Due diligence: Read and confirm you are happy with the privacy and security features of the services you use as organisation for work related communications and avoid ad-hoc use of apps or services by individuals.

· Overview: Ensure that all the accounts, email addresses, etc. used by your employees when using videoconferencing platforms are not personal contact details but work related.

· Policies: Provide clear and up-to-date organisational policies and guidelines to those employees who are using videoconferencing, so they know what steps to take to minimise data protection risks. One of the policies that would be helpful to have in place is a Data Protection, Incident Management and Disaster Recovery as well as policies regarding which services are used and how and offer through VPN or remote network access where possible.

· Security: Design and implement appropriate security measures such as access controls, secure password authentication procedures and limit use and data sharing to what is necessary.

· Limited sharing: Finally, when the data sharing can be eluded, such as locations, hyperlinks, etc., please avoid it.

Marta Dunphy-Moriel is a partner and Judit Garrido-Fontova is an associate in the data protection and privacy team at Kemp Little LLP, a technology and digital specialist law firm.