With a rapid increase in work-from-home video conferencing, we explore precautions that should be taken to enhance privacy and secure video conferencing. These best practices apply equally to the diverse groups that are resorting to videoconferencing nowadays as members shelter in place, from business teams to family gatherings to clubs to professional support groups.
Increased demand for video conferencing
With work-from-home spiking due to the coronavirus, as well as the general trend of recent years to conduct virtual meetings instead of physical ones, there has been a sharp increase in the use of video conferencing tools such as Zoom, GoToMeeting, Cisco WebEx, JoinMe, Ring, Click, Microsoft Teams, BlueJeans, Zoho Meetings, and others, and to a large extent even lower-end, smaller-scale, free video session tools such as Skype, Facetime, Google Hangouts, and WhatsApp. Such platforms provide an excellent means for real-time interaction, collaboration, teaching, planning, presentations, client consultation, sales interactions, marketing events, social gatherings, and other interactive sessions, especially useful across time zones and geographic locations.
Need for secure video conferencing
There have been reports, however, of security breaches whereby hate, violent, pornographic or simply abusive material has been presented by an unauthorized intruder in what should have been a private video conference. See, for example, TechCrunch’s Beware of ‘Zoom-Bombing:’ screen sharing filth to video calls or New York Times’ Zoombombing becomes a dangerous organized effort”. There could be other types of abuse from unauthorized competitors or foreign entities entering meetings quietly to steal intellectual property, or from a disruptive attendee hijacking a meeting.
Organizers of video conference meetings and their company management should institute policies and procedures to enhance the security and privacy of video conferencing. At a minimum, we recommend that organizers take the following precautions, most of which are facilitated by some video conferencing software tools or their settings. Note in particular that Zoom-bombing can, for the most part, be prevented if the video meeting organizer follows recommendations 1 through 8, below (Zoom themselves recently provided similar guidelines paralleling these very recommendations for preventing Zoom-bombing, and they are changing some of their default settings to the more secure ones). Our fuller set of 35 recommendations in this post aims to enhance privacy further in other ways and also to optimize everyone's experience.
Enforce strict attendance authorization
1. Do not set up meetings whereby anyone with a URL or meeting ID can enter; require login credentials with a strong password (see Password management best practices).
2. Do not post your meeting’s URL on your social media page or any other public location.
3. If your video tool allows it, make each meeting have a unique meeting ID and URL.
4. If your video software allows it, turn off the ability for users to enter before the host.
5. If possible, approve each attendee’s entrance into the meeting, or see suggestion #6. You do not want unauthorized attendees.
6. If your video platform supports it, set up groups of designated invitees (e.g., marketing, project-x, finance-department, client-y, etc.) to initiate a session quickly and to pre-establish who is authorized to join a given meeting.
7. If you do see unauthorized or unknown users during the session, remove them and prevent them from rejoining, if possible.
8. If your video platform allows it, lock the meeting from further entrants, even if authorized, five to ten minutes after the meeting starts. Once the meeting starts, the host should not be distracted with checking who the late entrants are.
Connect to the video conference safely
9. Do not use any public WiFi to connect to a video conference.
10. If using a home WiFi to connect, it is good general practice to change your modem/router’s default user ID and password.
11. Understand that video conferencing over the Internet without going through your enterprise’s network behind a firewall is much more susceptible to intrusion, so you may consider not divulging highly sensitive information at all.
12. Use VPN online (virtual private network) to hide your device and its location.
Use precautions when screen sharing
13. Do not allow all attendees to share their screen on their own initiative; rather, designate who can present.
14. When screens are shared, share only the content you intend. For example, if your tool allows it, share only the window or document you want participants to see (not your other windows, background photos, bookmarks, toolbar, etc.).
Use speaking protocols
15. If your video platform allows it, allow others to speak only when called on.
16. Anyone presenting or speaking had best not share any personal information.
17. Consider introducing everyone at the start of the meeting, if not obvious to everyone, so attendees know who is listening.
18. If general introductions were not made, introduce yourself when speaking (in part for the benefit of any audio-only attendees).
Avoid session recording
19. If your video conference software supports recording of the session, it is best not to record. If absolutely necessary to record a session, be very selective about who can do so, and who has access to the recording.
20. Ensure that the video conference tool encrypts any video, audio, or text that is recorded and stored, not just the content in transit. If the content is not encrypted when stored, it is best not to record anything.
21. If you must record, be sure to password-protect all recordings.
22. If you must record the session, be sure to obtain all attendees’ explicit consent in advance (a red-light to indicate recording is in progress, for example, is by itself insufficient).
23. The host should announce whether users can take screen shots or not. Screen shots of shared screens should only be taken with the presenter’s consent. Screen shots of participants should only be taken with their explicit consent. If the tool has a way to disallow screen shots, use it.
Attend to location privacy
24. Change the background of your camera view to conceal your location (perhaps at a less than neat dining room table,or an area strewn with children's toys) and also to make a more professional appearance.
25. Hold the video conference in a private setting, away from family members or others who may be in your home; you don’t want them hearing confidential information.
26. Be sure you are in a quiet location so that the sounds of pets, family members, or household noises (e.g., barking, crying, vacuum cleaner, flushing toilet, etc.) do not distract attention from the conference.
Adhere to company policies
27. Store any company materials used or accessed in the virtual meeting in accordance with your company security and privacy policies, which may mean storing content on company-authorized servers only and specifically, not storing your enterprise’s materials on personal devices or on the servers of your video-conferencing provider.
28. Follow your company’s policies and procedures. For example, if your employer provided you a laptop computer, be sure to use it for company online meetings rather than your personal computer, and don’t join the meeting on your walk around the block on your personal mobile device.
29. Healthcare organizations should ensure that their video software is HIPAA compliant particularly when discussing patient information and that speakers are following HIPAA privacy stipulations.
Hold the video conferencing software vendor accountable
31. If your vendor’s platform has privacy shortcomings, make the vendor aware of your displeasure, and consider alternatives.
Follow these other privacy guidelines
32. If the requirement of a video conference is solely to present rather than to interact or collaborate, e.g., for some kinds of training, consider asynchronous, recorded training software with quizzes instead of live video-conferencing.
33. Consider disabling file sharing, if not turned off by default, except by the organizer, to avoid malicious files from being transferred to attendees.
34. Hosts should ensure that when they end a meeting, the tool forces everyone off.
35. Turn off your computer camera when not in use; for extra safety, cover it with masking tape when not in use to protect against webcam hijacking.
Examples of other privacy breaches
Following the recommendations above should maximize privacy and security in video conferencing, and in particular resolve the “Zoom-bombing” phenomenon. However, it should also be noted that there may be privacy breaches in your video conferencing tool that are not addressed in the best practices above. For example, Zoom has taken a lot of criticism for a series of security and privacy vulnerabilities: a) in 2019, one vulnerability allowed attendees on Macs to have their webcam hijacked (see, for example, Forbes’ Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk, Change Settings Now), and more recently b) they were sharing user information with Facebook (see, for example, Business Insider’s Zoom is being sued for allegedly handing over data to Facebook); c) they exaggerated the claim of end-to-end encryption (see, for example, The Intercept’s Zoom meetings aren’t end-to-end encrypted, despite misleading marketing); d) the meeting ID was displayed in the title bar (see, for example, The Verge's Zoom update hides meeting ID numbers from the title bar); and e) recently, it appears that they made the recordings of private sessions publicly-accessible (see, for example, the Wasington Post's Thousands of Zoom video calls left exposed on open Web), a severe breach and betrayal of privacy rights. Zoom says that they have addressed or are in the process of addressing these security or privacy flaws.
There are other video conferencing fish in the sea
Keep in mind that if you are not happy with the privacy policies or with the lack of privacy infrastructure of one video conferencing platform, then consider, or urge your company to consider, another, as there are many video conferencing platforms in the marketplace.
For reviews of various video conferencing platforms, see, for example, the following:
PC Magazine’s The Best Videoconferencing software for 2020
TechRadar’s Best video conferencing software 2020
But how well do web conferencing vendors address privacy and security?
These reviews examine a broad range of capabilities, including ease of use, video/audio quality, scalability/number of users, collaboration tools, chat, scheduling, free/pricing tiers, integration with other tools, and numerous other aspects of functionality. They include the top tier vendors mentioned at the beginning of this post. Many reviews’ shortcoming is that there is relatively little analysis of how the vendors handle security and privacy, and some of the leading tools do a poor job when it comes to privacy. We will analyze what should be expected of video conferencing tools from a security and privacy viewpoint in our next blog post Web meeting vendors need to address video conferencing security and privacy.
Video conferencing has evolved to the point where it can be a cost-effective and productive means to conduct business or engage socially well beyond today’s coronavirus spike in the number of workers at home and the members of groups gathering socially (at a distance). Precautions should be taken, however, to make more secure video conferencing. Follow the best practices recommended in this post.