Countries Team Up to Issue Video Teleconference GuidanceAfter Consulting With VTC Providers, Authorities Recommend End-to-End Encryption
The U.K. information Commissioner’s Office and the data protection and privacy authorities of Australia, Canada, Gibraltar, Hong Kong SAR, China and Switzerland have issued guidance to video teleconferencing - or VTC - companies on privacy, calling for end-to-end encryption and recommending secondary use of data and data centers.
In response to concerns about privacy safeguards with the increasing use of VTC services during the pandemic, the authorities drew up guiding principles to address key privacy risks. The guidance was produced in consultation with the largest VTC companies - Microsoft, Google, Cisco and Zoom - who shared how they take privacy into account in the design and development of their VTC services, the ICO reports.
The joint signatories who issued the guidance supported calls for industry standard encryption as a minimum requirement and welcomed the development and implementation of end-to-end encryption.
The guidance recommends: "Making end-to-end encryption available to all users of VTC services whether enterprise, consumer, paid, or free; including via development and implementation of end-to-end encryption as an option in video calls involving multiple participants."
Consultation between regulators and providers also covered how the companies will implement, monitor and validate the privacy and security measures put in place, the ICO notes.
None of the four VTC provider companies had comments on the guidance at this time.
The joint signatories set out a range of recommendations in a report released on Wednesday. They include calling on VTC organizations to conduct regular testing of security measures to ensure they remain robust against constantly evolving threats.
"Various approaches to security testing were reported, including: penetration tests; threat modelling; 'bug bounty' programs; independent audits; internationally recognized certification; and use of open source code to enable third party scrutiny," the ICO notes. "The joint signatories recommend VTC companies take a comprehensive approach by overlaying several such measures into an overall and recurrent security testing approach."
Employees and third party sub-processors also should understand and comply with their obligations around access to, and handling of, personal information, the report states.
Other recommendations include:
- Preemployment checks;
- Regular employee training on privacy and security;
- Vetting of third parties, including via vendor selection and review committees;
- Regular audits of third parties, including logging subprocessor access to personal information;
- A "principle of least privilege" approach to access controls, which employee access is limited to that required for their job functions.
Personal information should only be used to provide the core features required to operate their service, and providers will not retain data for longer than necessary, according to the report. It also asks VTC companies to be transparent with users about the locations where data is stored and through which it is routed.
Not an Afterthought
"Data protection and privacy cannot be bolted on as an afterthought; for measures to work in practice they must be embedded. All VTCs should place settings for their service at the most privacy protective by default," the ICO notes.
With increasing usage of VTC services, the joint signatories say, "Tailored privacy and security guidance is a good practice to help ensure users are more confident using a VTC service and selecting the settings and features most appropriate for them."