To come straight to the point – there is no totally safe software, because all of them have their advantages and disadvantages. Therefore, you have to think about how and for what the video conferencing tool should be used.
Let’s take messaging apps on smartphones as an example: in the private environment everyone uses WhatsApp and is a member of at least 3 groups. From my own experience I can say that the complete switch to messaging apps like Signal or Threema that are more compliant with data protection laws fails because of the convenience of me and the people around me. After all, which app should we agree on in the future? And why should they, since all of them have WhatsApp and the group has already settled in so nicely!
What may still be okay in private life is an absolute no-go in the professional environment. Sensitive data is managed here, from personal data of employees, to non-public group figures, to confidential customer data. All this data must be protected from any unauthorized access. Be it messaging apps or video conferencing tools.
The data privacy conformities
For calls/meetings between just two people, Signal offers the possibility of video telephony with end-to-end encryption (E2EE) and can therefore be used for arrangements between two colleagues or even with a customer. However, both callers must have this app installed. Disadvantage: for calls/meetings with more than two participants you have to look for an alternative, because group video telephony is not possible.
This could be found in the open source platform Jitsi . If you host the software on your own servers and make the virtual meeting rooms only accessible via VPN. Good to implement for meetings in which only employees oof a company participate, but not feasible for conversations with external partners or customers, since they have no access to the company VPN and thus no access to the virtual Jitsi meeting rooms. Disadvantage: the requirements for the server on which Jitsi is hosted are quite high and therefore not feasible for every company. In addition, performance suffers considerably the more participants join the meeting.
The comfortable ones
Everyone was talking about it for a long time, Zoom. A video conferencing tool, which has been on the market for a long time and had an incredible popularity during the corona pandemic. Companies, universities, private persons – profiles were created from all areas. Why? Because Zoom knows better than any other tool how to set up a meeting easily and quickly and how to run stable during the meeting itself; without major limitations in video and audio quality. The sticking point? IT security experts have found all kinds of security gaps or disturbing technical solutions that have (rightly?) disgraced this tool. The fact that the developers on the Zoom page reacted directly to every new report about such vulnerabilities and presented solutions is to be praised. For example, unauthorized participants could join meetings until the beginning of April. This was turned off by Zoom – for protected meetings, participants need a password and must be allowed into the meeting room by the moderator. As a result Zoom has received praise from privacy gurus and others for its privacy friendliness and compliance. [1]
Also already longer on the market is Skype for Business (before Lync), which will soon be merged into Microsoft Teams and thus into Office 365. Teams has come under criticism because Microsoft only provides a generic and general privacy policy and not, as required by the GDPR, a precise description of how user data is processed. Stiftung Warentest, the German consumer watchdog, also wrote in an article: “The texts (…) do not show any serious concern with the European data protection regulation (GDPR). So only by accident tyou learn that Microsoft analyses video data by artificial intelligence and then uses it for research purposes. User IDs are also sent to Google Ads and the Adobe Experience Cloud, among others. [2] Why? Cookies and parameters can be enriched there with other personal data in order to offer targeted advertising.
The encrypted ones
Also a well-known and currently popular service is WebEx from Cisco. This tool offers as one of few an E2EE. However, this function is only available on request and is not a generally valid setting. For example, users of the Cisco WebEx Meetings App and Linux users are generally excluded from encryption. The audio signal of meeting participants who dial in via telephone is not subject to the E2EE either, only the shared content remains encrypted. [3]
Furthermore, WebEx or Cisco, like the two Zoom and Microsoft teams mentioned above, is a US company and is therefore not liable to the GDPR.
We therefore recommend that you take a look at the Cisco privacy policy. [4] It says here:
“When you visit our websites, use our solutions or interact with us, we may collect information, including personal information. Personal information is any information that can be used to identify an individual. Examples include name, address, email address, phone number, login information (account number, password, marketing preferences, social media account information, or payment card numbers. (…) We also collect personal information from trusted third party sources and engage third parties to collect Personal Information for our support.”
One tool that has been rather unnoticed so far is Blizz from TeamViewer – a company that was previously known more for its remote maintenance tool. According to its own homepage, Blizz offers “256-bit end-to-end encryption as well as optional two-factor authentication”. [5] This is because the data of participants who dial into the conference by phone cannot be subject to E2EE for technical reasons. To avoid uninvited guests in the conference, the meeting can be password protected. This ensures that only participants who are actually invited can dial in.
Furthermore TeamViewer is a German company and therefore subject to the GDPR. The data centers where the data is stored are located in Germany and Austria and are certified according to ISO 27001. TeamViewer communicates this transparently on its own homepage. [6]
Only the fact that the company also has remote access and remote maintenance capabilities may cause some paranoid thoughts.
So what should one pay attention to?
depending on whether the service is to be used for professional or private purposes different standards apply. As mentioned at the beginning, much stricter data pricacy regulations apply in the professional environment than in the private one. You should be aware of that.
- Do you want to host a tool like Jitsi yourself or do you need to resort to a Software-as-a-Service (SaaS) solution?
- If SaaS: is there a business version of the tool? This usually has even higher security standards.
- Where is the SaaS hosted? Basically, you need to sign a contract with a SaaS provider. If the software and the collected data are hosted in Germany and/or the EU, they are subject to the GDPR. If the server is located in the USA, you have to take a closer look – is the data subject to the EU-US Privacy Shield, which has meanwhile been declared invalid, or is reference made to standard contract clauses?
[1] Stephan Hansen-Oest, lawyer for IT Law, https://www.datenschutz-guru.de/zoom-ist-keine-datenschleuder/ (Retrieved from 27th of July 2020)
[2] Matthias Eberl, journalist and lecturer for multimedia and data privacy, https://rufposten.de/blog/2020/05/17/datenschutz-bei-microsoft-teams/ (Retrieved from 27th of July 2020)
[3] Help-center of Cisco WebEx https://help.webex.com/en-us/nwh2wlx/Enable-End-to-End-Encryption-Using-End-to-End-Encryption-Session-Types (Retrieved from 27th of July 2020)
4] Cisco Online privacy policy https://www.cisco.com/c/de_de/about/legal/privacy-full.html (Retrieved from 27th of July 2020)
[5] Blizz Homepage https://www.blizz.com/de/ (Retrieved from 27th of July 2020)
[6] TeamViewer Trust Center https://www.teamviewer.com/de/trust-center/compliance/ (Retrieved from 27th of July 2020)
