Since the global Corona pandemic arrived in Europe more than a year ago, video conferencing has become an integral part of everyday life for many people. Often, the use is not limited to a specific video conferencing software, but there is a wide range of corresponding tools. However, from the perspective of data protection and privacy, there are sometimes significant differences, which we will explain in this blog article.
Data Protection and Privacy
The terms data protection or data security and privacy are intrinsically linked in the digital space. To preserve data security and thus protect privacy, there are various approaches, two of which have proven to be particularly effective: Data Minimalism and Encryption.
According to the concept of data sparsity or data minimalism, it is already determined a priori which information is needed for which purposes, instead of first collecting as much information as possible and then looking for a use for the available stock of data. This is usually done while constantly balancing the benefits against associated privacy intrusions.
Although parsimony in the collection and storage of data and data streams is an important first step in protecting users’ information from access by unauthorized persons, there are nevertheless data sets that must be available for technical or legal reasons, such as chat logs or transmission data in video conferences. In order to be able to use these securely, strong and robust encryption algorithms are required that can be used equally easily (sometimes disparagingly referred to as “foolproof”) by users without technical understanding. The topic of data and information security has been covered in detail before.
Security in Video Conferences
In addition to the principles of data minimalism and robust encryption, there are some aspects that should be considered regarding information security in video conferences. The following checklist provides an overview to assess privacy protection without having to be a privacy expert yourself. [1,2]
1. Providers from the EU
Since 2018, the General Data Protection Regulation (GDPR) has been in effect throughout the European Union area as well as in Iceland, Lichtenstein and Norway. Among other things, the GDPR defines a uniform data protection standard that is among the highest in the world. In applying the GDPR, the so-called establishment principle (Art. 3(1) GDPR) counts on the one hand and the market place principle (Art. 3(2) GDPR) on the other. While the former describes the application of the data protection standards defined by the GDPR for representatives with company headquarters in all of the aforementioned states, the market location principle states that the GDPR also applies if the company does not have its own headquarters in these states, but is active there. Although the GDPR thus also applies to companies with headquarters in third countries that are active in the EU, such as Facebook, Google or the Alibaba Group, in practice, however, monitoring compliance with the GDPR is significantly easier within the EU.
2. Adequate Privacy Policy
The privacy statement should explain what data is collected and for what purpose. The use of transmission data is a technical necessity in video conferencing. However, it is important to clarify whether an encryption algorithm (end-to-end encryption) is used in the process, whether personal data is processed or stored beyond what is technically necessary, and whether this data is transmitted to third parties. The storage period of the transmission data is also of considerable relevance.
3. Open Source / Free Software
Openly accessible code is an important component of privacy protection. Free, open source software can be accessed transparently and is therefore subject to a permanent “public audit” by the open source community, which ensures the reliability and credibility of the individual components. This is particularly advantageous for the encryption of data and conversations. When using free software, users do not have to blindly trust that data protection standards are being met, but can transparently track them and trust that the applications are doing exactly what they are supposed to do.
4. Participation Control
Provided that all participants in a video conference have their own user account, identification is usually unproblematic. In addition, videoconferences should be able to be protected via invitations and/or passwords to prevent unauthorized participation.
5. Logging Control
Most video conferencing tools have a chat function that can be used to exchange messages in parallel with the conference. These chat histories should be subject to equally high data protection standards and should be able to be deleted to prevent the provider of the video conferencing software from viewing them.
Privacy Protection in ViOffice Conference
In the past few months, data protection experts have been intensively involved with widespread video conferencing services and their tools. Regardless of an individual’s political and ethical/moral stance on the issue of privacy protection, it is the legal framework that is crucial for public authorities, companies and associations. In this regard, the Berlin Commissioner for Data Protection and Freedom of Information recently published a spectacular assessment. According to this, the use of most proprietary, common video conferencing services, including Zoom, Cisco Webex, Google Meet, Microsoft Teams and Skype, is not legally compliant! Zoom has been the subject of particularly negative headlines, as security vulnerabilities have been uncovered and the company has in the past shared data with Facebook or routed data streams through countries outside the EU. However, legal consequences can affect not only the providers of the software themselves, but in particular the host, i.e. the company, authority or association that provides this software for official talks. However, positive examples should not go unmentioned. Providers such as mailbox.org, OSC BigBlueButton and sichere-videokonferenz.de can be used without hesitation according to the assessment of the Berlin data protection officers. [3,4,5]
The technical and legal conditions that apply to the positive examples also apply in the case of ViOffice Conference, which fulfills all the points in the above checklist. ViOffice is an entrepreneurial project that is oriented towards sustainable, ethical and socially just future viability. As host and provider of our video conferencing solution with location and server sites in Germany, we are of course bound to the standards of data protection of the DSGVO. However, ViOffice goes beyond this overall and protects data of users (including from ourselves) even more strongly wherever this is technically feasible. Our privacy policy lists in detail and clearly which data is (must be) collected and/or stored for which purposes. ViOffice Conference is based on the Free Software Jitsi-Meet and is therefore Open Source and has been extended by ourselves with further Open Source code. Especially the code contributed by us leads to an improved participation control in the video conferences. Furthermore, transmission paths are always encrypted on the server side. Participants in the videoconference can independently and easily switch to full end-to-end encryption in an ongoing conference. Passwords can also be set by the conference moderator at any time. A ViOffice account is required to start a conference, but not to participate in an ongoing conference. ViOffice Conference never logs conferences. This applies to the content of the conference as well as to the participants themselves or the built-in text chat. For technical reasons, IP addresses are recorded, but deleted again after a short time and do not give us the possibility to assign participants to a specific conference.
Our privacy policy and further information on the topics of security and privacy are publicly and transparently available in our Helpcenter. In addition, we have described our internal corporate philosophy in detail in the blog entry on Corporate Social Responsibility.
Sources
[1] Herold, Philipp (2020): Datenschutz bei Videokonferenzen. Worauf Sie achten sollten [German]. Online unter https://www.mein-datenschutzbeauftragter.de/blog/datenschutz-videokonferenzen/ [08.05.2020].
[2] Siebert, Sören (2020): Videokonferenzen und Datenschutz. Der große Vergleichstest zu Zoom und Co [German]. Online unter https://www.e-recht24.de/artikel/datenschutz/12122-videokonferenzen-und-datenschutz-vergleichstest-zoom.html [08.12.2020].
[3] Berliner Beauftragte für Datenschutz und Informationsfreiheit (2021): Hinweise für Berliner Verantwortliche zu Anbietern von Videokonferenzdiensten [German]. Online unter https://www.datenschutz-berlin.de/fileadmin/userupload/pdf/orientierungshilfen/2021-BlnBDI-Hinweise_Berliner_Verantwortliche_zu_Anbietern_Videokonferenz-Dienste.pdf [18.02.2021].
[4] Weiß, Eva-Maria (2021): Viel Rot. Berliner Datenschutzbeauftragte aktualisiert Videokonferenz-Liste [German]. Online unter https://www.heise.de/news/Viel-Rot-Berliner-Datenschutzbeauftragte-aktualisiert-Videokonferenz-Liste-5060322.html [19.02.2021].
[5] Wilhelm, Katharina (2020): Zweifel an Zoom [German]. Online unter https://www.tagesschau.de/ausland/zoom-101.html [05.04.2021].
Share this Post:
Pascal founded ViOffice together with Jan in the fall of 2020. He mainly takes care of marketing, finance and sales. After his degrees in political science, economics and applied statistics, he continues to work in scientific research. With ViOffice, he wants to provide access to secure software from Europe for everyone and especially support non-profit associations in their digitalization.