A few days ago on the 21st of July, The Office of the Privacy Commissioner of Canada released a letter aimed at video teleconferencing (VTC) providers to set expectations for privacy and security of users. The thinking is that with the recent increase in VTC usage due to Covid-19 concerns, it’s about time that governments stepped in and made sure that VTC providers were doing a good job of protecting their users.
Joining the Privacy Commissioner of Canada is five other bodies:
- The Privacy Commissioner of Canada
- The U.K. Information Commissioner’s Office
- The Office of the Australian Information Commissioner
- The Gibraltar Regulatory Authority
- The Office of the Privacy Commissioner for Personal Data, Hong Kong, China.
- The Federal Data Protection and Information Commissioner of Switzerland
While you can read the full joint statement on global privacy expectations for teleconferencing, here’s a quick summary of the 5 main points the letter covered.
The first point mainly covers security as a whole and serves as a reminder to VTC providers that this new world we live in is fraught with risks. It asks them to remember that there are constantly new threats they need to consider and that recent reports of VTC breaches have been worrying. It also asks providers to regularly remind users to stay up-to-date with their patches and security upgrades (for which they have an excellent point!).
Interestingly, it makes a specific point about making sure that data is encrypted while being processed by third parties, including other nations.
Privacy by Design
This one is very much what it sounds like; designing any VTC application with privacy first, rather as an afterthought. It actually makes a lot of sense when you think about it, because oftentimes developers will focus on getting the core product out, and might not consider the privacy implications. That’s especially true if you consider permissions that some 3rd party apps might request, and in-fact the letter does also point that bit out.
Similarly, the letter sets out three suggestions for how VTC providers should focus on privacy:
- Design app defaults around privacy, something which some companies are terrible at (looking at you Microsoft).
- Taking into account the complex business requirements for privacy, and allowing for them (so that they don’t need to use a workaround that could potentially interfere with security).
- Do their best to reign in the amount of data required by the application, and be mindful of who they share that info with.
Know Your Audience
Essentially, this point asks VTC providers to remember that their apps can be used in situations it isn’t necessarily designed for. As an example, countries with human rights and civil liberty issues, and therefore might have sophisticated methods of snooping on people. Therefore, it’s best to make sure any VTC app has the best encryptions around to keep people safe.
Transparency and fairness
This last point is especially important, because it discusses situations where a VTC app might be forced on a user, and therefore they might not have the right to choose not to use it. For example, if a workplace adopts a certain type of VTC, employees and staff don’t really have a choice to say no to using it or not, even if they have qualms about it.
As such, this letter asks VTC providers to make sure that the end-users are informed of whatever the host is doing, whether it’s logging activity, conversations, or even location data.
All in all, this is actually a pretty great letter, as it sets the bar on what governments expect when it comes to security and privacy. We’re really happy to see the Office of the Privacy Commissioner of Canada has taken part in this joint letter, and we hope to see more of the same!
Hi, I’m Ludovic. I created this site as a consumer resource to help fellow Canadians better understand the changing world of cybersecurity. Before creating this resource I saw two fundamental problems with the B2B consumer privacy industry. First, education – the majority of people don’t realize the importance of their own data. Second, nefarious marketing practices – there are a wide array of self-proclaimed security solutions that are doing nothing other than brokering user data without consent.