Privacy commissioners worldwide have urged video conferencing systems like Microsoft, Cisco and Zoom to adopt end-to-end encryption, two-factor authentication & other security measures.
Global privacy commissioners issued a joint public decry against leading video conferencing companies such as Cisco Systems, Microsoft & Zoom to demand the companies upgrade their security & privacy strategies.
Open Letter
This statement was delivered via an open letter published by data protection & privacy commissioners from Australia, Canada, Hong Kong, United Kingdom & Switzerland.
The letter, sent Tuesday, responded to many security flaws & privacy holes reported (& mostly patched) in popular video-conferencing platforms & applications.
“During the current pandemic we have observed some worrying reports of security flaws in VTC (video tele-conferencing) products purportedly leading to unauthorized access to accounts, shared files, & calls,” said the open letter, titled “Joint statement on global privacy expectations of Video Teleconferencing companies.”
Criticisms
These criticisms come during the soaring popularity of video conferencing platforms, driven by work-from-home policies tied to the pandemic.
The video conferencing market is surging. Market research firm Global Market Insights reported the video conferencing market was worth $14 billion in 2019 but is projected to grow to $50 billion by 2026.
The joint letter asked the providers to adopt measures such as end-to-end encryption, strong passwords & two-factor authentication (2FA). End-to-end encryption has been a spotlight problem for Zoom, which earlier this year came under fire for announcing that it would only offer the feature to paying users.
Security Considerations
These security considerations are especially critical for video-conferencing users with sensitive information, e.g. hospitals, medical consultations & online therapists, according to the letter.
“Your organisation should remain constantly aware of new security risks & threats to the VTC platform & be agile in your response to them,” according to authorities. “We would anticipate that you routinely require users of your platform to upgrade the version of the app they have installed, to ensure that they are up-to-date with the latest patches & security upgrades.”
The privacy of user data was also a concern addressed. Commissioners urged video conferencing providers to create “privacy conscious” default settings for their platforms, such as implementing strong access controls by default & clearly announcing new callers.
Hijacked
The measure is in response to various video conference meetings being hijacked by cybercriminals during the pandemic.
These incidents happened most frequently in Zoom users, including both during school meetings & in private government meetings & earning the perpetrators the name “Zoom bombers.”
The letter also urged platforms to implement features allowing business users to seek other users’ consent & minimizing personal data captured, used & disclosed. Other “principles” that video conferencing platforms are urged to re-evaluate revolve around transparency, end-user control and “knowing your audience.”
3rd-parties
“Particular attention should also be paid to ensuring that information is adequately protected when processed by 3rd-parties, including in other countries,” says the letter.
Remote-collaboration platforms have been facing scrutiny for months, with Zoom, Slack, Trello, WebEx & Microsoft Teams facing threats of vulnerabilities, credential stuffing, social engineering, & privacy flaws.
Letter
While the letter is intended for all video conferencing services, Microsoft, Cisco, Zoom, House Party & Google were sent the letter directly.
“We welcome responses to this open letter from VTC companies, by Sept. 30, 2020, to show how they are taking these principles into account in the design & delivery of their services,” according to commissioners.
