The rise of video conferencing – what the ICO And NCSC want you to watch out for
The coronavirus outbreak has made use of video conferencing widespread across the world. It is still for many, the primary means of staying connected with colleagues and clients. As a reflection of how popular the practice has become, it has been widely reported recently that Zoom’s revenues alone have leapt a staggering 355% to $663.5m (£496.3m) for the three months ending 31 July, whilst its profits have soared to $186m and its customer growth rose a huge 458%, compared with the same period in 2019.
However, the increased demand and ubiquitous use of this way of communicating have triggered some concerns that privacy and security are being compromised over convenience. The ability to see into people’s homes and to record video and voice calls clearly have privacy and security implications.
In April, the ICO’s Director of Assurance, Ian Hulme, published a blog to highlight the key privacy issues businesses should be looking at when using video conferencing.
First, he recommends checking and using the privacy and security settings so that there is transparency for users, that is, they should know how their data is being processed. Users will also need a choice and control over how their data is used.
Other suggestions include restricting attendance of meetings by passwords as well as controlling when people can join and restricting who can share screens during the video conference. The Director of Assurance also suggests businesses look at the ways in which meeting passwords and IDs are shared. These choices should be made before the meeting starts and staff should be provided with clear advice on what settings to use and how.
The ICO also recommends businesses stay vigilant against the risks of phishing via video conferencing. This could take the form of a link or attachment sent via a live chat feature, and so, it is advised that people make sure they only click on links and attachments they are expecting from meeting attendees they recognise.
Businesses should also make sure their privacy policies accurately reflect their use of video conferencing platforms as a way of processing personal data. If calls are being recorded this should be reflected in the policy and it is prudent for participants to be given a short message and link to the privacy notice in the meeting invite and registration page.
Making sure video conferencing software (and indeed all software) is up to date is also mentioned as an effective way of ensuring security of the system. This includes making sure updates are applied regularly. If video conferencing is accessed via a web browser, then the browser will need to be kept up to date as well.
There should also be an ongoing assessment of the tools or services being used for video conferencing so as to ensure the tool or service is the right one for the job.
Separately, on 21 April 2020, the NCSC published security guidance for organisations on choosing, configuring and implementing video conferencing services. Like the ICO blog, this guidance stresses the need to choose the right service to ensure the calls and any other data shared in meetings are protected. The guidance recommends businesses:
follow the NCSC’s Cloud Security Principles where meetings are sensitive and that businesses fully understand the encryption model their chosen service provider uses;
ensure the service actually works as the service provider describes;
understand where data is going and who has access to it given cloud-based video conferencing services often store and process data in their data centres in several countries;
in deploying and configuring the service, set company-wide defaults and controls where possible and ensure the right settings are applied whilst balancing user needs with security;
provide clear guidance to staff on how to use video conferencing securely;
ask staff users to test that the service is working before using it for real meetings and ensure they are familiar with how to mute the microphone and turn off the camera;
ask staff to treat meeting joining details as sensitive as the meeting itself, to consider blurring their background or using a background image to enhance personal privacy and to learn to recognise when their webcam is activated and when calls are being recorded;
ensure meeting organisers/hosts consider which features are appropriate for the meeting and whether these should be limited to a subset of participants; and
ensure organisers and hosts restrict access the meeting joining details to participants only.