17: 35 best practices for private and secure video conferencing

Updated: May 30


Secure video conferencing

With a rapid increase in work-from-home video conferencing, we explore precautions that should be taken to enhance privacy and secure video conferencing. These best practices apply equally to the diverse groups that are resorting to videoconferencing nowadays as members shelter in place, from business teams to family gatherings to clubs to professional support groups.


Increased demand for video conferencing


With work-from-home spiking due to the coronavirus, as well as the general trend of recent years to conduct virtual meetings instead of physical ones, there has been a sharp increase in the use of video conferencing tools such as Zoom, GoToMeeting, Cisco WebEx, JoinMe, Ring, Click, Microsoft Teams, BlueJeans, Zoho Meetings, and others, and to a large extent even lower-end, smaller-scale, free video session tools such as Skype, Facetime, Google Hangouts, and WhatsApp. Such platforms provide an excellent means for real-time interaction, collaboration, teaching, planning, presentations, client consultation, sales interactions, marketing events, social gatherings, and other interactive sessions, especially useful across time zones and geographic locations.


Need for secure video conferencing


There have been reports, however, of security breaches whereby hate, violent, pornographic or simply abusive material has been presented by an unauthorized intruder in what should have been a private video conference. See, for example, TechCrunch’s Beware of ‘Zoom-Bombing:’ screen sharing filth to video calls or New York Times’ Zoombombing becomes a dangerous organized effort”. There could be other types of abuse from unauthorized competitors or foreign entities entering meetings quietly to steal intellectual property, or from a disruptive attendee hijacking a meeting.

Organizers of video conference meetings and their company management should institute policies and procedures to enhance the security and privacy of video conferencing. At a minimum, we recommend that organizers take the following precautions, most of which are facilitated by some video conferencing software tools or their settings. Note in particular that Zoom-bombing can, for the most part, be prevented if the video meeting organizer follows recommendations 1 through 8, below (Zoom themselves recently provided similar guidelines paralleling these very recommendations for preventing Zoom-bombing, and they are changing some of their default settings to the more secure ones). Our fuller set of 35 recommendations in this post aims to enhance privacy further in other ways and also to optimize everyone's experience.


Enforce strict attendance authorization


1. Do not set up meetings whereby anyone with a URL or meeting ID can enter; require login credentials with a strong password (see Password management best practices).

2. Do not post your meeting’s URL on your social media page or any other public location.

3. If your video tool allows it, make each meeting have a unique meeting ID and URL.

4. If your video software allows it, turn off the ability for users to enter before the host.

5. If possible, approve each attendee’s entrance into the meeting, or see suggestion #6. You do not want unauthorized attendees.

6. If your video platform supports it, set up groups of designated invitees (e.g., marketing, project-x, finance-department, client-y, etc.) to initiate a session quickly and to pre-establish who is authorized to join a given meeting.

7. If you do see unauthorized or unknown users during the session, remove them and prevent them from rejoining, if possible.

8. If your video platform allows it, lock the meeting from further entrants, even if authorized, five to ten minutes after the meeting starts. Once the meeting starts, the host should not be distracted with checking who the late entrants are.


Connect to the video conference safely


9. Do not use any public WiFi to connect to a video conference.

10. If using a home WiFi to connect, it is good general practice to change your modem/router’s default user ID and password.

11. Understand that video conferencing over the Internet without going through your enterprise’s network behind a firewall is much more susceptible to intrusion, so you may consider not divulging highly sensitive information at all.

12. Use VPN online (virtual private network) to hide your device and its location.


Use precautions when screen sharing


13. Do not allow all attendees to share their screen on their own initiative; rather, designate who can present.

14. When screens are shared, share only the content you intend. For example, if your tool allows it, share only the window or document you want participants to see (not your other windows, background photos, bookmarks, toolbar, etc.).


Use speaking protocols


15. If your video platform allows it, allow others to speak only when called on.

16. Anyone presenting or speaking had best not share any personal information.

17. Consider introducing everyone at the start of the meeting, if not obvious to everyone, so attendees know who is listening.

18. If general introductions were not made, introduce yourself when speaking (in part for the benefit of any audio-only attendees).


Avoid session recording


19. If your video conference software supports recording of the session, it is best not to record. If absolutely necessary to record a session, be very selective about who can do so, and who has access to the recording.

20. Ensure that the video conference tool encrypts any video, audio, or text that is recorded and stored, not just the content in transit. If the content is not encrypted when stored, it is best not to record anything.

21. If you must record, be sure to password-protect all recordings.

22. If you must record the session, be sure to obtain all attendees’ explicit consent in advance (a red-light to indicate recording is in progress, for example, is by itself insufficient).

23. The host should announce whether users can take screen shots or not. Screen shots of shared screens should only be taken with the presenter’s consent. Screen shots of participants should only be taken with their explicit consent. If the tool has a way to disallow screen shots, use it.


Attend to location privacy


24. Change the background of your camera view to conceal your location (perhaps at a less than neat dining room table,or an area strewn with children's toys) and also to make a more professional appearance.

25. Hold the video conference in a private setting, away from family members or others who may be in your home; you don’t want them hearing confidential information.

26. Be sure you are in a quiet location so that the sounds of pets, family members, or household noises (e.g., barking, crying, vacuum cleaner, flushing toilet, etc.) do not distract attention from the conference.


Adhere to company policies


27. Store any company materials used or accessed in the virtual meeting in accordance with your company security and privacy policies, which may mean storing content on company-authorized servers only and specifically, not storing your enterprise’s materials on personal devices or on the servers of your video-conferencing provider.

28. Follow your company’s policies and procedures. For example, if your employer provided you a laptop computer, be sure to use it for company online meetings rather than your personal computer, and don’t join the meeting on your walk around the block on your personal mobile device.

29. Healthcare organizations should ensure that their video software is HIPAA compliant particularly when discussing patient information and that speakers are following HIPAA privacy stipulations.


Hold the video conferencing software vendor accountable


30. Read the video conferencing software vendor’s privacy policy carefully to ensure you understand and can live with what data they collect; for example, they may collect the time not only when each attendee entered a session, but also when each one viewed another window (stopped paying attention) or left the meeting. Worse, they may share demographic or other data they have with third parties for targeted marketing.

31. If your vendor’s platform has privacy shortcomings, make the vendor aware of your displeasure, and consider alternatives.


Follow these other privacy guidelines


32. If the requirement of a video conference is solely to present rather than to interact or collaborate, e.g., for some kinds of training, consider asynchronous, recorded training software with quizzes instead of live video-conferencing.

33. Consider disabling file sharing, if not turned off by default, except by the organizer, to avoid malicious files from being transferred to attendees.

34. Hosts should ensure that when they end a meeting, the tool forces everyone off.

35. Turn off your computer camera when not in use; for extra safety, cover it with masking tape when not in use to protect against webcam hijacking.


Examples of other privacy breaches


Following the recommendations above should maximize privacy and security in video conferencing, and in particular resolve the “Zoom-bombing” phenomenon. However, it should also be noted that there may be privacy breaches in your video conferencing tool that are not addressed in the best practices above. For example, Zoom has taken a lot of criticism for a series of security and privacy vulnerabilities: a) in 2019, one vulnerability allowed attendees on Macs to have their webcam hijacked (see, for example, Forbes’ Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk, Change Settings Now), and more recently b) they were sharing user information with Facebook (see, for example, Business Insider’s Zoom is being sued for allegedly handing over data to Facebook); c) they exaggerated the claim of end-to-end encryption (see, for example, The Intercept’s Zoom meetings aren’t end-to-end encrypted, despite misleading marketing); d) the meeting ID was displayed in the title bar (see, for example, The Verge's Zoom update hides meeting ID numbers from the title bar); and e) recently, it appears that they made the recordings of private sessions publicly-accessible (see, for example, the Wasington Post's Thousands of Zoom video calls left exposed on open Web), a severe breach and betrayal of privacy rights. Zoom says that they have addressed or are in the process of addressing these security or privacy flaws.


There are other video conferencing fish in the sea


Keep in mind that if you are not happy with the privacy policies or with the lack of privacy infrastructure of one video conferencing platform, then consider, or urge your company to consider, another, as there are many video conferencing platforms in the marketplace.

For reviews of various video conferencing platforms, see, for example, the following:



But how well do web conferencing vendors address privacy and security?


These reviews examine a broad range of capabilities, including ease of use, video/audio quality, scalability/number of users, collaboration tools, chat, scheduling, free/pricing tiers, integration with other tools, and numerous other aspects of functionality. They include the top tier vendors mentioned at the beginning of this post. Many reviews’ shortcoming is that there is relatively little analysis of how the vendors handle security and privacy, and some of the leading tools do a poor job when it comes to privacy. We will analyze what should be expected of video conferencing tools from a security and privacy viewpoint in our next blog post Web meeting vendors need to address video conferencing security and privacy.


Take-Away


Video conferencing has evolved to the point where it can be a cost-effective and productive means to conduct business or engage socially well beyond today’s coronavirus spike in the number of workers at home and the members of groups gathering socially (at a distance). Precautions should be taken, however, to make more secure video conferencing. Follow the best practices recommended in this post.

Get email alerts for new posts

*We do not share your email with any third party.  See Privacy Policy.

Use of this blog site constitutes acceptance of its Terms of Use. Note that the terms are written in plain English for clarity and transparency.  Similarly, see also our Privacy Policy.

Brand names mentioned are trademarked or are the trade names of their respective owners.

Other than the logo, photos or illustrations are stock photos licensed from iStockPhoto.com

Books on privacy
Disclosure: As an Amazon Associate we earn from qualifying purchases.

Book-NoneOfYourDamnBusiness-jPI6L.jpg
Book-Privacy-as-Trust-514NGo-f+PL.jpg
Book-Habeus-Data-41sUXvG+rhL.jpg
Book-Privacy-Blueprint-51hP6UPkeKL.jpg
Book-The-Unknown-Citizen-41zSpHvCAaL.jpg

This site is owned and operated by Adept Advice LLC.

Copyright (c) 2020 by Adept Advice LLC. All rights reserved.