Videoconferencing: How can you ensure privacy and security?
Beware of the risks – like ‘Zoombombing’ – and measures you can take to prevent them
Videoconferencing is a critical component of our new normal. Society is using it in record numbers to connect with family and friends, engage in remote education, sustain our businesses, participate in social gatherings, and for a multitude of other purposes.
Like any technology, if not properly managed, video conferencing poses risks to the privacy and the security of our personal information. Businesses and individuals using the technology should be aware of those risks, and implement appropriate safeguard to mitigate or prevent them.
Access and security controls
“Zoombombing” is the newest neologism to enter our lexicons, and the most common insecurity. The term derives from a prominent the videoconferencing application Zoom, which exploded from about 10 million to 200 million users practically overnight.
To participate in a Zoom or other video conference (like Skype, GoToMeeting, Google Hangouts/Meet, Microsoft Teams, Slack, Cisco WebEx, etc.), the meeting organizer typically emails a link to attendees. However, without proper controls, the link can be used by anyone to access the conference, and sometimes links are publicized on the websites and social media, particularly if meetings are public.
Hackers acquire links to videoconferences to steal personal information (like names, emails, and contact information), and valuable confidential business information available as a part of those meetings. They also can disrupt meetings by overwhelming attendees with offensive content (typically pornography or hateful images), causing the meeting to terminate. Predators and thieves also covertly penetrate videoconferences to gather information about children engaging in remote education or connecting with friends, and to acquire detailed video information useful for burglary.
These dangers are exacerbated if hackers have installed malware on computers or mobile devices that permit them to control of the cameras and microphones.
Most videoconferencing applications have controls that can be configured to mitigate such dangers. For starters, all conference transmissions should be encrypted. Moreover, organizers can require attendees to enter passwords to access meetings, and can restrict or eliminate the ability of participants to share content.
Conferences also can be established with virtual waiting rooms, permitting organizers to admit only intended participants, or as webinars rather than meetings, restricting the ability of attendees to distribute content or interact with each other.
Notice, consent and secure retention
Videoconference applications commonly either automatically record or permit recording of the content. Given the vast quantities of sensitive information exchanged using this technology, such recording raises significant privacy and security issues.
Privacy laws require meeting organizers to notify participants and (in some situations) obtain consent to collect, use and disclose the personal information acquired about participants. State and federal wiretap laws likewise require consent to record and store certain audio and electronic communications.
As a result, meeting organizers should integrate appropriate notice into all videoconferences, technologically require express consent from participants whenever private meetings are recorded, and obtain at least implied consent from attendees of recorded webinars.
Recorded videoconferences also should be securely stored, and the applications permit a variety of retention methods, such as on a cloud, device hard drive or server. Meeting organizers should ensure that the retention method selected is secure, including encryption of the recordings and such hard drives, and use of strong passwords and multi-factor authentication to access such clouds and networks. Additionally, organizers should technologically limit or prevent meeting participants from making their own recordings.
Due diligence and agreements
Most videoconference providers disclose on their websites the privacy and security controls inherent in their applications, and provide instructions about how to configure such controls. Before using these applications, businesses and individuals should do due diligence to ensure that the controls are sufficient for their particular uses of the technology, and enable them to comply with the privacy and security laws that apply to them as well as the individuals who may participate in videoconferences.
Some videoconference providers also will sign agreements with users that are designed to comply with privacy and security laws, including domestic laws like HIPAA, the Child Online Privacy Protection Act and the California Consumer Protection Act, as well as foreign laws like the European Union General Data Privacy Regulation.
The coronavirus crisis presents a multiplicity of challenges and risks. As society increasingly adopts technologies like videoconference to facilitate our new normal, we all must implement appropriate measures to ensure that the use of these technologies does not endanger the privacy or security of our families, friends, businesses, customers and each other.
Attorney Cam Shilling chairs McLane Middleton’s Information Privacy and Security Practice Group.