New cross-country report highlights need for better policies

Video conferencing platforms must improve privacy for users, says data protection authorities

Six national data protection and privacy authorities have released their findings after an investigation into video teleconferencing (VTC) companies’ practices.

The bodies, from Australia, Canada, Gibraltar, Hong Kong, China, Switzerland, and the UK, are broadly happy with the level of engagement from the companies concerned, but are calling for improvements to their privacy measures.

With the use of teleconferencing rocketing as the Covid-19 pandemic took hold, the authorities last summer asked Microsoft, Google, Cisco, Zoom, and Houseparty to explain their privacy and security measures. All but Houseparty responded.

Houseparty did engage with the UK Information Commissioner’s Office as part of a separate enquiry, and in any case closed down its video teleconferencing service two months ago.


“The dialogue between VTC companies and data protection authorities has proven effective, efficient, and mutually beneficial,” say the authorities in their report.

“Moving forward, the joint signatories highlight this model of engagement as valuable and replicable in circumstances where emerging issues would benefit from open dialogue to help set out regulatory expectations, clarify understanding, identify good practice, and foster public trust in innovative technologies.”

The report (PDF) sets out a number of recommendations. They call on VTC companies to make end-to-end encryption available to all users, and to be the default for one-to-one calls of a sensitive nature, such as tele-health communications.

Read more of the latest privacy news

They also want vendors to provide clarity over the secondary use of personal information.

“Where personal information is used for secondary purposes, VTC companies should explicitly make this clear to users with proactive, upfront, and easily understandable messaging about what information is used and for which purposes,” they write.

“Where secondary purposes include targeted advertising and/or the use of tracking cookies, it is recommended that VTC companies only do this if users have expressly opted-in to such processing.”

Finally, the authorities are calling for VTC companies to be completely transparent about where data is stored and how it is routed, and where possible giving users a choice.

They should also implement measures, contractual or otherwise, to ensure that information is adequately protected when shared with third parties, including in foreign jurisdictions.

Class action

The report comes as Zoom settles a class action privacy lawsuit in the US for $86 million after claims that it shared personal data with Facebook, Google, and LinkedIn, as well as allowing unauthorized ‘Zoombombing’ to occur.

However, in a recent report, the Center for Strategic and International Studies (CSIS) found that the cybersecurity and privacy risks of VTC services are no greater than those found on the internet in general.

“Instead, the leading services have all begun to converge in the security and convenience of their apps,” it concluded.

YOU MAY ALSO LIKE Slack contains an XSLeak vulnerability that de-anonymizes users