COVID-19 has forced a new way of working onto many of us, but in the rush to adapt the additional cybersecurity risks should not be ignored, says Paul Schwartfeger
- Given the present uncertainties, we should be asking ourselves whether a particular communication tool or channel is appropriate for sharing information of an especially confidential kind.
- Before we share it we should also consider what steps we have taken to minimise the risks of a cyberbreach.
When the current lockdown began on 23 March, people were instructed by the state to work from home wherever possible. Many workplaces closed their doors in response, leaving us to hastily find new ways of working, meeting and keeping in touch from our homes. Usage of videoconferencing, online collaboration tools and chat systems surged as a result. However, the increased use of these tools has brought with it cybersecurity risks.
Warnings of these risks were further amplified last week, following UK Prime Minister Boris Johnson’s tweet of himself participating in a virtual cabinet meeting via the videoconferencing app ‘Zoom’. The image he shared was intended to demonstrate how the Prime Minister and his cabinet are complying with COVID-19 social distancing rules. However, the image is now being touted as a security concern, as the Prime Minister’s meeting ID number is clearly visible in the shot. Unless password protections are enabled, this ID number is all that is needed for anybody to join the Prime Minister’s Zoom meeting. Indeed, the Internet is awash with reports of Zoom meetings that have been ‘zoombombed’ by uninvited guests who connect to a meeting after obtaining or guessing its meeting ID number and then display pornographic, racist or other offensive materials to the meeting’s legitimate participants.
This issue comes alongside other security concerns with Zoom’s videoconferencing services. Ministry of Defence employees were recently instructed that use of Zoom was being suspended while its security implications were investigated, and a Zoom spokesperson has admitted in recent days that it is currently not possible to enable end-to-end encryption for Zoom video meetings. It appears that purportedly ‘private’ meetings can be intercepted and accessed by Zoom—as well as (potentially) any hackers that gain access to Zoom’s servers. As a US service provider, communications passing across Zoom’s networks may also be susceptible to routine monitoring by US government agencies. It should be noted that these issues are not necessarily unique to Zoom; some other popular videoconferencing applications do not make full use of end-to-end encryption as a matter of course either.
While zoombombing may be dismissed by some as simply insidious or antisocial behaviour, the possibility that our video calls and virtual meetings could be eavesdropped on should ring alarm bells. Zoom and related technologies are used to host commercially sensitive company meetings, conduct virtual medical consultations with patients, hold private discussions with family and friends, and even to run countries (as Mr Johnson has shown). Highly sensitive business and personal data flows across these networks every second of the day and is at serious risk if these technologies fail.
Problems & remedies
Who is responsible for any cybersecurity problems and what remedies may be available in the event of a breach, however, is a complicated issue.
In respect of Zoom, the company is based in California in the US. Jurisdictional issues would therefore arise for any UK parties who contemplated action against them in the event of any security breach. Furthermore, Zoom’s terms and conditions state that the company makes no warranties in respect of the fitness of its product for any purpose, and that users are responsible for any damage resulting to them from their use of Zoom’s services. Zoom also rejects any liability for damages in contract or tort, et cetera. This liability waiver may add complexity to any action brought against Zoom in the event a party suffers a data breach.
In a European legal context, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR 2003)—as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208)—affords users some rights and protection. This applies to providers of electronic communications services. The definition of a provider of such services is given in Regulation 5(1) PECR 2003 as one that provides “a public electronic communications service”, and in the Communications Act 2003 as one providing “a service consisting of, or having as its principal feature, the conveyance by means of an electronic communications network of signals, except in so far as it is a content service”. In other words, it applies to those that transmit speech, sound and visual images, et cetera, although not where the service is a content service, such as an online newspaper or broadcaster.
Companies that provide videoconferencing services appear to fit neatly within the definition of providers of electronic communications services under both PECR and the Communications Act, and in C-142/18 Skype Communications Sarl v IBPT the ECJ held that SkypeOut, an internet calling service, was an electronic communications service. Further amendments to these regulations planned for this year will expressly specify their inclusion as “over-the-top’ services.”
In the UK, where a personal data breach occurs in respect of an electronic communications service provider, the provider is obligated to notify the Information Commissioner’s Office (ICO) of the breach within 24 hours of its detection, and the time limit must be strictly observed. The regulator has the power to fine service providers where they fail to properly comply. In TalkTalk Telecom Group Plc v Information Commissioner  UKFTT 110 (GRC), it was held that it would be wrong to read into the regulations a requirement that there should always be a period of investigation before notification.
If the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider must also notify the individuals concerned of the breach without undue delay.
Regulation 3 of the amended 2011 Privacy and Electronic Communications Regulations provides a broad definition of a personal data breach, defining it as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.
On the basis of this definition, a personal data breach may occur when a party unlawfully accesses a Zoom (or other provider’s) video meeting, whether by means of zoombombing or another form of computer hacking. This could give rise to the notification obligations, as set out above. Under the related provisions of the General Data Protection Regulation 2018 (GDPR), a victim may also be able to claim compensation from a service provider if he or she has suffered damage as a result of that provider breaking data protection laws.
However, there are some caveats.
Firstly, providers are not obliged to notify individuals affected by a security breach if the Information Commissioner confirms that he is satisfied that the information was properly encrypted when the breach occurred (regulation 5A(6), revised PECR 2003). However, there is no strict definition of what constitutes ‘proper encryption’.
Zoom’s service, for example, is not without encryption. Rather, its service does not presently include end-to-end encryption. Video and audio from your meeting are encrypted on their journey from your computer to Zoom’s servers. These data are also encrypted on their way from Zoom’s servers back out to the other participants in your meeting. The problem is that these data are not encrypted while they are being handled by and processed on Zoom’s servers. Zoom would undoubtedly say that it has other measures in place to ensure the security of the unencrypted data whilst these are on its servers. Whether or not the Information Commissioner would agree is uncertain, which muddies the issue of whether or not a victim of a data breach would have any right to notification or a remedy.
The second caveat is that a data breach may not be the fault of the videoconferencing provider at all. It is possible, for example, for someone to join certain Zoom meetings with just the meeting ID number. The end-users of a product often play a significant part in data breaches, by exposing their credentials or by failing to maintain adequate and up-to-date antivirus and malware protection on their devices, thereby allowing them to become compromised. If a meeting member publicly shares the meeting ID number for their Zoom meeting, as the Prime Minister did, and unwanted guests join their videoconference as a result, the user will have an uphill battle demonstrating to the courts that the service provider enabled this cyberbreach.
However, as employees, patients and the like are unlikely to have played a part in choosing the videoconferencing technologies their employers and medical consultants (et cetera) use, they may be able to take action against their employer or consultant under the GDPR in the event of a data breach that wasn’t of their own making.
Stepping through the relevant parts of the GDPR in the context of an employment example:
- A video conference by its very nature contains “personal data” as per Article 4(1) of the GDPR. That is, information relating to an identified or identifiable natural person.
- When employees participate in a videoconference, their personal data can be subjected to “processing’”(Article 4(2)).
- An employer that determines the purposes and means of processing of employees’ personal data, for example by mandating the use of Zoom for virtual meetings, is the ‘controller’ under Article 4(7).
- The controller is responsible for ensuring, inter alia, the integrity and confidentiality of their employees’ personal data.
An employee that suffers material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation under Article 82(1). Consequently, an employee whose personal data is exposed by means of a third-party breaking into or unlawfully monitoring a work videoconference may be able to claim against their employer for its failure to ensure the integrity and confidentiality of their data.
Article 82(3) may provide the employer some protection, in that a controller shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. However, the need for the employer to prove that it is not in any way responsible is a high bar to clear. Certainly, it would be highly relevant and very important to an employer’s defence if the breach occurred on (say) Zoom’s servers. That said, whether any hardware (that is, the computers or other devices employees use) that an employer provides to its employees is of sufficient technical specification to operate securely may also be relevant. Older devices may not support the latest encryption standards, for example, and can thereby be vulnerable. Whether or not antivirus and malware software was provided by the employer to minimise hacking and snooping by third parties may also be subject to scrutiny, as may be staff training and related procedures that warn employees how to stay safe when working online or from home.
In the first instance, the cybersecurity risks that arise from the use of videoconferencing, online collaboration tools and chat systems for home-working need to be tackled by users and in particular employers. Zoom and its counterparts have roles to play, but we can all take steps to increase privacy and security when working from home. For example, by password-locking our computers when we’re away from them; enabling software that allows devices to be remotely wiped or disabled in the event they’re lost or stolen; and by ensuring that we do not tweet photographs of ourselves using videoconferencing software where our meeting IDs or any other part of our security credentials are visible.
A UK government spokesperson stated earlier that National Cyber Security Centre guidance shows there is no security reason for Zoom not to be used for government communications with staff and for cabinet meetings, and UK officials have also added that the risks of not communicating in the middle of fast-moving events far outweigh the possible security risks of using such a system. However, given the present uncertainties, we should all be asking ourselves whether a particular communication tool or channel is appropriate for sharing information of an especially confidential kind, and before we share it we should also consider what steps we have taken to minimise the risks of a cyberbreach.
Paul Schwartfeger is a Barrister with