Skip to main content
2021-03-24

Video conferencing and privacy, findings and conclusion

2021-03-24
In our previous blog post we described how to tackle the challenge of choosing the right video conferencing solution and describe a methodology. In this post we will let you in on our findings and conclusions.

Findings - part 1

To start, a very interesting observation is that none of the well-known and most used video conferencing solutions did make it beyond the first part of the review. This means that legal requirements for processing of personal data were not met in an adequate manner. This is inasmuch surprising, as the agreements otherwise appear quite sound and worked out.

The review identified several shortcomings which roughly can be grouped into the following categories.

1. Inadequate data processing agreements

The DPA does not fulfil relevant requirements in the GDPR such as restricting the data controllers authority to give directions on data processing, or the agreement restricts rights or obligations which are not compatible with GDPR. It might also be the case that necessary safeguards are not in place, or not satisfactory.

2. Unlawful data transfer or processing

3. Accountability of the controller is constrained

Some agreements include clauses that allow for unilateral and unannounced changes of the agreement, which makes it impossible for the controller to fulfil their accountability requirements. This is also often the case where sub-processors are involved where the list of sub processors can be updated without further notice.

4. Data processing for other purposes

Some providers reserve the right to process data for their own, or third parties, purposes which is not acceptable

The review contains also detailed information about the findings, and reasoning for why an agreement was deemed inadequate with regards to the GDPR.

Findings - part 2

For the second part, the remaining services where reviewed on data security and how the technical solution supports data privacy in their default configuration. The assessment is based on several criteria like encryption, authentication for participants and the meeting host, but also privacy requirements like unauthorised or unannounced recording possibilities. A detailed description of these requirements can be found in chapter 4.

Further, a set of three use cases have been defined, with varying degrees of privacy and security requirements. The different video conferencing solutions have been assessed on how well they fulfil the security and privacy requirements on the background of these use cases.

Basically, the use cases are ranged from low to high requirements on privacy, based on the nature of the discussed topic as well as the protection requirements of all participants.

The review did only find three categories of shortcomings preventing a positive rating:

1. No mandatory authentication of participants with for example a username and password

2. No role-based access control (RBAC)

3. Camera/microphone cannot be deactivated by default when entering the conference

Another evaluated criteria is the quality of end-to-end encryption, where the review differentiates between weak and strong end-to-end encryption. The difference is that for strong end-to-end encryption, the encryption keys are negotiated for each session between the end devices, and the encryption keys are not available to the provider. Weak end-to-end encryption on the other hand only prevents from casual observation by the provider (as encryption keys are available to the provider).

All video conferencing solutions reviewed in this part did at least pass the requirements for the least-demanding use case, and most did also provide enough protection for conferences with high demands on privacy and security.

End-to-end encryption is only available for few of the reviewed solutions.

Jitsi Meet

Redpill Linpros VCaaS solution is based on Jitsi Meet, a free and open source video conferencing solution. Jitsi Meet is one of the OSS solutions reviewed in the Berlin note, with quite good results on the technical side - with a few caveats:

1. Jitsi Meet has no role-based access controll

2. Jitsi Meet does not provide a wide range of features for access control

The standard setup of Jitsi Meet is to allow anybody to set up and connect to running video conferences. This is quite convenient in day-to-day use, but will become an issue when hosting large meetings that require confidentiality or privacy. Jitsi Meet does provide two features to handle this: setting passwords on meeting rooms, as well as requiring authentication before being able to create or join a virtual meeting room.

Setting a password that is shared separately from the meeting invitation is certainly a way to increase privacy for meetings with low or moderate requirements, especially for groups that know each other and will guard themselves against unknown participants.

Some of the use cases described in the review have higher demands on confidentiality and privacy, and the Berlin note recommends to use RBAC and individual authentication in these cases. This is also recommended when hosting video conferences participants that do not know each other personally, where privacy requirements are relevant.

Conclusions

It was quite surprising to find that almost all of the well-known video conferencing solutions (like Zoom, Teams, Webex, Gotomeeting or Skype) do not provide a service with a data privacy agreement conforming to European law. There are exceptions, and the review lists several solutions that do conform to legal requirements as well as provide secure and private solutions.

All services that did pass the legal requirements did also pass the security and privacy requirements, at least for the least-demanding use case outlined in the review. Three video conferencing solutions did pass all requirements, and two of these are open source software - including the one with strongest end-to-end encryption.

While not all criteria in this review might be applicable to your specific requirements, this review does provide valuable insight into how to conduct an assessment, and especially the findings of the legal review should be thought-provoking. The review gives also a good overview over video conferencing solutions available.

Written by Michael Nemecky