Connect with us

Hi, what are you looking for?



Regulators Urge Video Conferencing Companies to Improve Security, Privacy

In an open letter this week, six data protection and privacy regulators from around the world have asked video teleconferencing (VTC) organizations to focus on security and privacy-by-design.

In an open letter this week, six data protection and privacy regulators from around the world have asked video teleconferencing (VTC) organizations to focus on security and privacy-by-design.

The regulatory community, which is responsible for ensuring the privacy of individuals worldwide, is concerned that the increased use of video conferencing solutions as a result of the COVID-19 pandemic has heightened the risks associated with the handling of personal information by VTC companies, and has created additional risks as well.

“Reports in the media, and directly to us as privacy enforcement authorities, indicate the realization of these risks in some cases. This has given us cause for concern as to whether the safeguards and measures put in place by VTC companies are keeping pace with the rapidly increasing risk profile of the personal information they process,” the letter reads.

In addition to voicing their concerns, the privacy watchdogs detailed their expectations regarding the manner in which video conferencing companies are expected to mitigate said risks, as well as the steps they should take to ensure they secure the personal information of users.

The regulators also encourage VTC companies to identify and address other data protection and privacy issues associated with their services, and regularly review their stance on privacy and even work with regulators to mitigate risks that they cannot resolve.

“During the current pandemic we have observed some worrying reports of security flaws in VTC products purportedly leading to unauthorized access to accounts, shared files, and calls,” the letter reads.

VTC companies should ensure that their solutions include security safeguards by default, such as effective end-to-end encryption and two-factor authentication, and that they demand strong passwords. Those offering VTC services to sectors that process sensitive information should focus the most on these security measures.

Advertisement. Scroll to continue reading.

“Particular attention should also be paid to ensuring that information is adequately protected when processed by third-parties, including in other countries,” the letter reads.

VTC companies have also been urged to take a privacy-by-design approach to their services, and not only ensure that data and privacy are protected at all times, but also that users are provided with privacy-friendly settings from the start.

Default settings, the letter says, need to ensure the best privacy protection, but users should have the option to adjust those to suit their requirements. Furthermore, business users should be provided with features to help them comply with their own privacy policies, and VTC services should minimize the capture of personal information or data.

“VTC providers should also undertake a privacy impact assessment to identify the impact of their personal information handling practices on the privacy of individuals, and implement strategies to manage, minimize or eliminate, these risks,” the letter reads.

VTC companies are also encouraged to identify the environments in which their services are used, so as to ensure they can deliver data security and privacy in all contexts, to be transparent about the data they collect and how they share it, and to ensure that users have the appropriate information and control when using their services.

“We recognize that VTC companies offer a valuable service allowing us all to stay connected regardless of where we are in the world; something that is especially important in the midst of the current Covid-19 pandemic. But ease of staying in touch must not come at the expense of people’s data protection and privacy rights,” the regulators note.

The letter was signed by commissioners with the Office of the Australian Information Commissioner, the Compliance Sector Office of the Privacy Commissioner of Canada, the Gibraltar Regulatory Authority, the Privacy Commissioner for Personal Data for Hong Kong, the Federal Data Protection and Information Commissioner for Switzerland, and the United Kingdom’s Regulatory Supervision Information Commissioner’s Office.

Related: Mozilla Says Many Popular Video Call Apps Meet Its Minimum Security Standards

Related: Hackers’ New Target During Pandemic: Video Conference Calls

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.