Tag: Facebook Messenger Rooms

A call to attention now exists regarding videoconferencing platform security

Article

Zoom (MacOS) multi-party video conference screenshot

A call to action is now taking place regarding the data security and user privacy of video conferencing platforms

Privacy watchdogs urge videoconferencing services to boost privacy protections | We Live Security

From the horse’s mouth

Officer Of The Privacy Commissioner Of Canada

Joint statement on global privacy expectations of Video Teleconferencing companies (English / Français)

Press Release (English, Français)

Office Of The Australian Information Commissioner

Global privacy expectations of video teleconference providers – with open letter

Federal Data Protection And Information Commissioner (Switzerland)

Audio And Video Conferencing Systems – Privacy Resource factsheet (English, Français, Deutsch, Italiano)

Open Letter (PDF)

Information Commissioner’s Office (United Kingdom)

Global privacy expectations of video teleconference providers

Open Letter (PDF)

My Comments

Thanks to the COVID-19 coronavirus plague, we are making increased use of various videoconferencing platforms for our work, education, healthcare, religious and social reasons.

This has been facilitated through the use of applications like Zoom, Skype, Microsoft Teams and HouseParty. It also includes “over-the-top” text-chat and Internet-telephony apps like Apple’s Facetime, Facebook’s Messenger, WhatsApp and Viber for this kind of communication, thanks to them opening up or having established multi-party audio/video conferencing or “party-line” communications facilities.

Security issues have been raised by various experts in the field about these platforms with some finding that there are platforms that aren’t fit for purpose in today’s use cases thanks to gaping holes in the platform’s security and privacy setup. In some cases, the software hasn’t been maintained in a manner as to prevent security risks taking place.

As well, there have been some high-profile “Zoombombing” attacks on video conferences in recent times. This is where inappropriate, usually pornographic, images have been thrown up in to these video conferences to embarrass the participants with one of these occurring during a court hearing and one disrupting an Australian open forum about reenergising tourism.

This has led to the public data-protection and privacy authorities in Australia, Canada, Gibraltar, Hong Kong, Switzerland and the United Kingdom writing an open letter to Microsoft, Cisco, Zoom, HouseParty and Google addressing these issues. I also see this relevant to any company who is running a text-based “chat” or similar service that offers group-chatting or party-line functionality or adapts their IP-based one-to-one audio/video telephony platform for multi-party calls.

Some of these issues are very similar to what has been raised over the last 10 years thanks to an increase in our use of online services and cloud computing in our daily lives.This included data security under a highly-mobile computing environment with a heterogeny of computing devices and online services; along with the issue of data sovereignty in a globalised business world.

One of the key issues is data security. This is about having proper data-security safeguards in place such as end-to-end encryption for communications traffic; improved access control like strong passwords, two-factor authentication or modern device-based authentication approaches like device PINs and biometrics.

There will also be the requirement to factor in handling of sensitive data like telehealth appointments between medical/allied-health specialists and their patients. Similarly data security in the context of videoconferencing will also encompass the management of a platform’s abilities to share files, Weblinks, secondary screens and other media beyond the video-audio feed.

As well, a “secure by design and default” approach should prohibit the ability to share resources including screenviews unless the person managing the videoconference gives the go-ahead for the person offering the resource. If there is a resource-preview mechanism, the previews should only be available to the person in charge of the video conference.

Another key issue is user privacy including business confidentiality. There will be a requirement for a videoconferencing platform to have “privacy by design and default”. It is similar to the core data-security operating principle of least privilege. It encompasses strong default access controls along with features like announcing new participants when they join a multi-party video conference; use of waiting rooms, muting the microphone and camera when you join a video conference with you having to deliberately enable them to have your voice and video part of the conference; an option to blur out backgrounds or use substitute backgrounds; use of substitute still images like account avatars in lieu of a video feed when the camera is muted; and the like.

There will also be a requirement to allow businesses to comply with user-privacy obligations like enabling them to seek users’ express consent before participating. It also includes a requirement for the platform to minimise the capture of data to what is necessary to provide the service. That may include things like limiting unnecessary synchronsing of contact lists for example.

Another issue is for the platforms to to “know their audience” or know what kind of users are using their platform. This is for them to properly provide these services in a privacy-focused way. It applies especially to use of the platform by children and vulnerable user groups; or where the platform is being used in a sensitive use setting like education, health or religion.

As well it encompasses where a videoconferencing platform is used or has its data handled within a jurisdiction that doesn’t respect fundamental human rights and civil liberties. This risk will increase more as countries succumb to populist rule and strongman politics and they forget the idea of these rights. In this case, participants face an increased exposure to various risks associated with these jurisdictions especially if the conversation is about a controversial topic or activity or they are a member of a people group targeted by the oppressive regime.

Another issue being raised is transparency and fairness. Here this is about what data is being collected by the platform, how it is being used, whom it is shared with including the jurisdictions they are based in along with why it is being collected. It doesn’t matter whether it is important or not. The transparency about data use within the platform also affects what happens whenever the platform is evolved and the kind of impact any change would have.

The last point is to provide each of the end-users effective control over their experience with the videoconferencing platforms. Here, an organisation or user group may determine that a particular videoconferencing platform like Zoom or Skype is the order of the day for their needs. But the users need to be able to know whether location data is being collected or whether the videoconference is tracking their engagement, or whether it is being recorded or transcribed.

I would add to this letter the issue of the platform’s user-friendliness from provisioning new users through all stages of establishing and managing a videoconference. This is of concern with videoconference platforms being used by young children or older-generation people who have had limited exposure to newer technologies. It also includes efforts to make the platform accessible to all abilities.

This is relevant to the security and user privacy of a videoconferencing platform due to simplifying the ability for the videoconference hosts and participants to maintain effective control of their experience. Here, if a platform’s user interface is difficult to use safely. videoconference hosts and participants will end up opting for insecure setups this making themselves vulnerable.

For example, consistent and less-confusing function icons or colours would be required for the software’s controls; along with proper standardised  “mapping” of controls on hardware devices to particular functions. Or there could be a user-interface option that always exposes the essential call-management controls at the bottom of the user’s screen during a videocall.

This issue has come to my mind due to regularly participating in a Skype videoconference session with my church’s Bible-study group. Most of the members of that group were of older generations who weren’t necessarily technology-literate. Here, I have had to explain what icons to click or tap on to enable the camera or microphone during the videoconference and even was starting it earlier to “walk” participants through using Skype. Here, it would be about calling out buttons on the screen that have particular icons for particular functions like enabling the camera or microphone or selecting the front or back camera on their device.

At least the public-service efforts have come about to raise the consistent security and privacy problems associated with the increased use of videoconferencing software.

Keeping those videoconferencing platforms relevant beyond the pandemic shutdown

As various jurisdictions around the world are “peeling back” the various stay-at-home restrictions once they are sure they have the coronavirus plague under control in their territory, we could easily see our love for many-to-many videoconferencing wane. It can be more so when the barriers are fully down and we are confident about going out and about, or travelling long-distance.

But these many-to-many video-conferencing platforms like Zoom, Skype and Facebook Messenger Rooms do not need to be ignored once we can go out. It is more about keeping these platforms in continual relevance beyond the workplace and as part of personal and community life.

How can you keep these platforms relevant

Zoom (MacOS) multi-party video conference screenshot

Are these multi-party video conferences going to die out when the all-clear to meet face-to-face and to travel is given?

Family and friends

Do you have members of your family or community who are separated by distance? Here, each family cluster who can meet up at a particular venue in their local area can implement Zoom, Skype or a similar platform to create a wide-area meetup amongst the clusters. It can also extend to remote members of that family or community using these platforms to “call in” and join the occasion.

This situation will be very real with us taking baby steps to getting back to what we used to do, including long-distance travel. Initially long-distance travel will be put off due to fears of newer coronavirus infections on crowded transport modes like economy-class airline cabins along with countries putting off opening their borders and enabling long-distance domestic travel until they are sure that the Covid-19 beast is under control.

If one of us moves to a place that is a long distance away like overseas or interstate, these videoconferencing platforms become even more relevant as a tool to “keep in touch with home”. For example, once that person has settled in to their home, they could use a smartphone, tablet or highly-portable laptop computer to take those of us who are “at home” on a tour of their new premises.

Similarly, an event like an engagement or “wetting the new baby’s head” that is typically celebrated by small groups of relatives or friends who get together to celebrate with a toast to the lucky couple or parents can be taken further. Here, these small clusters could effectively “join up” as part of a larger virtual cluster involving the people whom the occasion is about in order to celebrate together.

Education

For education, distance learning can continue to be made relevant especially for people who can’t attend the class in person. This includes underserved rural and remote communities, people who are in hospital and similar places or itinerant students. There can also be a blended-learning approach that can be taken where a class can both be face-to-face and remote.

Teachers can use videoconferencing to teach classes at the school even if they are home due to illness, caring for relatives or similar situations. It is important for those teachers who place value in curriculum continuity for their students no matter what. Foreign-language teachers who are engaging in personal travel to the country associated with the language they are teaching can use aspects of the trip for curriculum enrichment. With this they could “call in” to their classes at home from that country and engage with the country’s locals or demonstrate its local culture and idiosyncrasies.

A school’s student-exchange program can also benefit from videoconferencing by having remote exchange students able to “call in” to their home school. With this the students could share their experiences and knowledge about the remote location with their “home” class.

To the same extent, a school could link up with one or more guest speakers so that speaker can enrich the class with extra knowledge and experiences. It can even help those schools who can’t afford frequent field trips especially long-distance trips to be able to benefit from knowledge beyond the classroom.

Community Worship

In the worship context, videoconferencing technology can be about allowing mission workers to call their home church and present their report to their home congregation by video link. It can even appeal towards multiple-campus churches who want to be part of these video links.

This technology is still relevant to those small Bible-study / prayer / fellowship groups that are effectively smaller communities within a church’s community. Here, these groups could maintain videoconferencing as a way to allow members separated from the group on a temporary basis to effectively “call in” and participate during the meetups. In some cases where one of these groups becomes too large that they “break up” to smaller groups, they could implement the many-to-many videoconferencing technologies to host larger group meetups on an occasional basis.

Of course there are the key occasions that are part of a religious community’s life like the weddings or funerals. Here, it could be feasible to provide a video link-up so that people who can’t attend the services associated with these events in person due to ill-health or long-distance can view them on line.

As well, the supporting parties associated with these events can become global shared celebrations comprising of multiple local celebration clusters using video-link technology. This is more so with families and communities who are split up by distance but want to celebrate together.

Other community organisations who thrive on being close-knit could easily see the multi-party video-conference as being relevant especially for members who are far-flung from where they usually meet. As well, those who have presence in multiple geographic areas can exploit the likes of Zoom or Skype to make ad-hoc virtual meetings that don’t cost much to organise.

What can be done

Increased support for group videocalling on the big screens

If a mobile-platform vendor has an investment in their mobile platform along with a set-top-box platform (that’s you, Apple with your iOS and Apple TV, and Google with your Android and Chromecast), they could work towards enabling their set-top platform towards group videophone functionality.

Here, this idea would require the smartphone or tablet, which has the contact list and the user-interface for the videocalling platforms like Facetime, Zoom, Skype or Facebook Messenger; to be able to manage the calls while a camera attached to the top of the TV is linked to the set-top box which works with the videocalling platform as a screen, camera, speakers and microphone.

I wrote in a previous article about this idea and the two ways it can be done. One of these is to have a lean software interface in both devices that link the smartphone to the set-top box and have the caller’s face and voice on the TV with the camera linked to the set-top box bringing your face and voice to the caller. The smartphone would then run the videocalling platform, allowing the user to control the call from that device.

The other is to have the videocalling platform software on the set-top box with the ability to use the smartphone to manage accounts, callers and the like from its surface. This is similar to how DIAL is being used by Netflix and YouTube to permit users to “throw” content from smartphones or computers to smart TVs and set-top devices equipped with client software for these platforms.

Conclusion

The videoconferencing platforms of the Zoom, Skype and Facebook Messenger Rooms ilk can be of use beyond the pandemic shutdown, serving as a way to bridge distance and bring communities together.