Six data protection and privacy authorities from countries in four continents have addressed an open letter to video teleconferencing (VTC) companies, asking them to re-evaluate how they safeguard the privacy rights and data of citizens around the globe.
With people tethered to their homes during the pandemic, videoconferencing services have seen a surge in use; including for staying in touch with friends and family and for hosting work meetings, online classes and virtual doctor appointments. However, the spike in demand has also been accompanied by reports of security issues faced by some of the platforms, as well as by concerns directly being raised with the regulatory bodies themselves.
“The purpose of this open letter is to set out our concerns, and to clarify our expectations and the steps you should be taking as VTC companies to mitigate the identified risks and ultimately ensure that our citizens’ personal information is safeguarded in line with public expectations and protected from any harm,” according to the letter, signed by privacy commissioners and regulators from Australia, Canada, Gibraltar, Hong Kong, Switzerland, and the United Kingdom.
The letter highlights five principles VTC companies should focus their attention on – security, privacy-by-design, knowing their audience, transparency and fairness, and end-user control. It is intended for all companies providing videoconferencing services; however, Microsoft, Cisco, Zoom, House Party and Google have been sent the letter directly.
The regulators expect companies to secure user data by implementing certain security safeguards as standard, such as end-to-end encryption for all communication and two-factor authentication for logins, as well as by requiring users to create strong passwords. Prompting people to regularly update to the newest version of their communication client is also expected of the VTC platforms.
“Particular attention should also be paid to ensuring that information is adequately protected when processed by third-parties, including in other countries,” reads the letter. Its signatories also acknowledge that the pandemic has led to VTC platforms being used in ways that are different from those they were designed for, which may open doors to unanticipated threats. They encourage the companies to review these new use-cases and implement necessary data protection and privacy measures accordingly.
“This is particularly important when it comes to children, vulnerable groups, and contexts where discussions on calls are likely to be especially sensitive (in education and healthcare for example), or when operating in jurisdictions where human rights and civil liberty issues might create additional risk to individuals engaging with the platform,” said the commissioners.
Where transparency and fairness are concerned, companies are asked to be up-front about what data they collect and how they handle it. The letter goes on to warn that failing to do so may lead to law violations and breaches of user trust. The privacy regulators expect to receive answers from the companies by September 30th, 2020.