Some leading video conference tools have been shown to be deficient in enabling attendee privacy protection. We offer a requirements list for secure video conferencing software that would put attendee privacy interests first.
Web meeting best practices not enough
In our previous blog post, Best practices for secure video conferencing, we listed best practices for maximizing privacy and security in conducting a video conference. However, we observed that some leading video conference tools, and notably Zoom in recent weeks, have come short in their protection of attendee privacy, even if meeting hosts follow all of the best practices listed in our prior post (see, for example, Zoom faces a privacy and security backlash as it surges in popularity published in The Verge or CNN’s Zoom, the video conferencing app everyone is using, faces questions over privacy).
As we checked out the leading web meeting platforms, it appears to us that they are all far from ideal when it comes to putting privacy rights first. We believe that rich-feature video conferencing platforms that do not address privacy and security seriously should be pressured to do so by customers or else users should seek video conferencing solutions that come closer.
Web meeting requirements list for privacy
The following is a requirements list of privacy features that we urge all video conferencing tools to adopt, and on which users should insist, not in any particular order:
Unique link: Force meetings to be reached via a unique, unpredictable link, with strong authentication and authorization to attend a given meeting.
Strong authentication: By default, meetings should require an attendee to login and use a strong password for authentication, and only be allowed in if explicitly invited to a given meeting.
Two-factor authentication (2FA): Allow organizer/host/meeting owner to force 2FA (the default setting) when an attendee tries to enter (2FA requires two modes of authentication, such as a password + a code sent via text message to your phone).
Invitees only: The tool should allow setting up a meeting with attendee lists and pre-configured groups. No one other than the authorized members of that group should be able to join.
Meeting start: By default, do not allow meeting participants to enter and interact prior to the host starting of the meeting.
Control over entrance : Provide a tool to allow the meeting host to monitor and/or explicitly allow users to enter the conference.
Eject disruptive attendees: The platform needs a tool to allow the organizer to kick a disruptive or abusive or unauthorized attendee out without the ability to rejoin.
Prevent late attendees: In addition, by default, have the ability to lock out entrances 5 or 10 minutes after the meeting starts.
True end-to-end encryption: Video conferences are to use true end-to-end encryption, meaning that there is strong encryption not only when audio/video (and other content such as chat or notes) is transmitted, but also when audio/video is “at rest” residing on the vendor’s server. Amazingly, this requirement alone would be failed by several leading vendors. A hacker should not be able to view any content, even if he or she cracks into their server. In addition, we believe that the vendor should not have the decryption keys to the encrypted content; only the session owner/host should have access to and decryption of the stored content. (We recognize that the latter point is controversial with some that argue that law-enforcement needs all tools to fight crime even if it tramples on innocents' privacy, but we believe that the right to private conversations outweighs government access to meeting contents, with the slippery slope of potential abuse of broad surveillance).
Screen sharing default to host only: By default, only the host should be able to share his or her screen, but should be able to delegate screen sharing to a trusted attendee.
Screen shots with consent: Come up with a way to enforce consent before attendees’ faces, names, and/or shared screens are captured via attendee screen shots. Anyone who does not want his or her photo captured and sent around the Internet should be able to block it. The default should be "block screen captures."
Zero-knowledge: More generally, vendors should have “zero knowledge” of and no access to any personal data of attendees or organizers or of their content.
Session recording non-default and consent: No session recording by default. If the host wants to record a session, there should be a means for attaining explicit consent by each attendee. Session recordings, if stored on the vendor’s server, should be password-protected and truly end-to-end encrypted, with the decryption keys known only to the meeting owner, not the vendor. This is a critical requirement, in our view, to protect and reassure attendees that what is said at meetings is truly kept confidential, and cannot be leaked or handed over to governments.
Mute by default: Mute all attendees except the host by default. Provide a feature allowing attendees to have audio control only when they are recognized.
Signal upon entrance/exit: Provide a feature signaling via audio chime or other means when a new person enters or exits the meeting.
File sharing default off: By default, file sharing should be turned off, as there is a security risk of malware; if file sharing is turned on, then only the host should be able to share files and have the files run through an industrial-strength malware checker; the host should be able to delegate the file sharing right to another trusted attendee.
Privacy by design and default: In general, by design and by default, options should be pre-set to maximize privacy. Many users never change defaults. That is why we indicated, for example, that by default, session recording be turned off, while the muted state and screen shot prevention should be on.
Download updates: The vendor should provide automatic downloads of software updates as a user option defaulting to “yes,” particularly for fixes of vulnerabilities.
Transparency: Clear disclosure in privacy policies as to what data are collected, who can access the data, and how it is used. Ideally, nothing is collected (see “zero knowledge”). Also “open source software” is a good indication that the vendor has nothing to hide and is willing to be scrutinized by security and privacy experts.
Secure video conferencing software
Therefore, in our view, the larger vendors, such as Zoom, LogMeIn’s GoToMeeting, Microsoft Team, Cisco’s WebEx, Google Hangouts Meet, and others, probably have the resources to deliver strong privacy solutions while maintaining ease-of-use, functionality robustness, and scale. They just need the will to rise to the occasion.
Vendors of web meeting software should take this requirements list to heart and deliver solutions that address privacy concerns, or else they will lose market share to those who do. Companies or organizations using web-conferencing tools, in turn, should demand privacy-first solutions from their vendors or else switch providers.