Privacy in Online Meetings

Last November, a Dutch journalist accessed a videoconference meeting of EU defence ministers after an error on the part of the Dutch defence minister's team, who posted the access code to the meeting on social media.

Neglecting the organisation of virtual meetings and preparing them without taking into account privacy risks can facilitate disloyal behaviour by interlocutors, former co-workers, disgruntled employees, or even cybercriminals spying on or sabotaging them. By simply adopting some basic precautions, it is possible to ensure that online meetings are an effective and secure workspace, while avoiding incidents that may constitute a personal data breach or otherwise compromise privacy.

Below are some basic guidelines for holding online meetings with privacy and security:

• Comply with your organisation's established policies regarding online meetings. This includes using only the technology provider approved by the organisation.
• In meetings with a large number of attendees from multiple organisations, it is advisable to designate at least one participant to assist the organiser during the meeting with attendee control and privacy and security issues.
• Think in advance about the sensitivity of the issues to be addressed, the identity of the attendees and the possible dissemination if the meeting is recorded.
• Limit the reuse of access codes/links. If you have been using the same code/link for some time, you have probably shared it with more people than you can imagine or remember.
• If the subject matter of the meeting is sensitive, either because of the issue to be addressed, the identity of the attendees or otherwise, you should use single-use codes, links and/or access pins. You should also consider the need to use two-factor authentication. This will prevent anyone from being able to join by simply figuring out the access link URL or code.
• Disable unnecessary features such as chat, file sharing or screen sharing.
• Where appropriate, limit who can share the screen to avoid any unwanted or unexpected images. Before someone shares his or her screen, remind him or her of the risk of sharing sensitive information.
• Send the call only to specific contacts, avoiding sending calls to groups or mailing lists with links that are valid only by virtue of their possession.
• Use a "waiting room" to admit attendees and do not allow the meeting to start until the host joins.
• Enable the notification feature for when attendees join the meeting. This could be by using a distinctive tone or announcing their name. If your provider does not allow this, make sure that the host asks new attendees to identify themselves.
• If available, use a panel to check attendees and identify those who are generic.
• Do not record the meeting unless necessary. In that case, properly inform the attendees of the purpose of the recording and at what point it starts/stops. Some providers automatically make these announcements.
• Before starting the meeting, check what is visible behind you and what personal information you are revealing. Consider using a virtual background to hide the space behind you.
• Warn any possible cohabitants that you will be starting a meeting and take the necessary measures to keep their activity out of reach of the microphone and camera.
• Beyond issues of communication efficiency, turn off the microphone and camera during the meeting when it is not necessary. In particular, if you are going to do something out of the focus of the camera. Pay particular attention to wireless microphones.
• Be aware that video and audio capture could continue, due to some human or system error, when you think the meeting is over.
• When the meeting is finished, make sure to use a device that physically disables the camera (tab, sticker or similar). Do not remove it until the connection is to be started.

This list is not exhaustive, but rather provides basic tips to be considered and applied where appropriate. As a general conclusion, it is important to remember to be aware of and comply with your organisation's policies, take into account the logistics of the meeting and adopt the appropriate measures for each situation.

In those cases where highly sensitive data or information will be discussed, it is advisable to consult with an IT and security professional in your organisation and, if necessary, take additional precautions:

• Use only virtual meeting services approved by your organisation for these situations, with end-to-end encryption and different pins or passwords for each attendee. Give instructions so they are not shared.
• Use attendee dashboards to monitor who is in the meeting at all times.
• Block access to the meeting once all attendees are identified.
• Allow only hosts to share their screen.
• If recordings are made, they should be encrypted with a strong algorithm and strong passwords. Delete any recordings that may have been stored at the provider.
• Explicitly ask attendees to only use devices provided and/or approved by the organisation.

This post was written based on the article "Preventing Eavesdropping and Protecting Privacy on Virtual Meetings" published by NIST.

You may find further information on the Innovation and Technology website of this Agency, as well as on our blog:

• Recommendations to protect personal data in situations of mobility and telecommuting
• Security breaches: e-mail and online productivity platforms
• Data protection and security
• Security breaches: Top 5 technical measures