Remote working: A risky business?

COVID-19 has forced a new way of working onto many of us, but in the rush to adapt the additional cybersecurity risks should not be ignored.

When the current lockdown began on 23 March, the state instructed people to work from home wherever possible. Many workplaces closed their doors in response, leaving us hastily finding new ways of working, meeting and keeping in touch from our homes. Usage of videoconferencing, online collaboration tools and chat systems surged as a result. However, the increased use of these tools has brought with it cybersecurity risks.

Warnings of these risks were amplified when UK Prime Minister Boris Johnson tweeted a photo of himself participating in a virtual cabinet meeting via the videoconferencing app ‘Zoom’. The Prime Minister sought to demonstrate how he and his cabinet were complying with COVID-19 social distancing rules. However, the image was subsequently touted as a security concern, as the Prime Minister’s meeting ID number is visible in it. Unless password protections were enabled, anybody could have joined the Prime Minister’s Zoom meeting using just his ID number. Indeed, the Internet is awash with reports of Zoom meetings that have been ‘zoombombed’ by uninvited guests who connect to a meeting after obtaining or guessing its meeting ID number and then display pornographic, racist or other offensive materials to the legitimate participants.

This issue comes alongside other security concerns with Zoom’s videoconferencing services. Undisclosed data-sharing functions in its services have recently been reported, such as those that allegedly provided Facebook with information about meeting participants’ devices and sent participants’ names and email addresses to a system that matched them with their LinkedIn profiles. Moreover, a Zoom spokesperson recently admitted it was not possible to enable full end-to-end encryption for Zoom video meetings, contrary to the company’s previous claims. It appears that aspects of some ‘private’ meetings could be intercepted and accessed by Zoom—as well as (potentially) any hackers that gained access to Zoom’s servers. As a US service provider, communications passing across Zoom’s networks may also be susceptible to monitoring by US government agencies.

Given mounting concerns, it is unsurprising that UK Ministry of Defence employees were instructed in late March that their use of Zoom was suspended while its security implications were investigated. It should be noted that these issues are not necessarily unique to Zoom; for example, some other popular videoconferencing applications do not make full use of end-to-end encryption either. However, the surge in the volume and sensitivity of data passing through Zoom’s network because of the lockdown has led to intense scrutiny of the company, and Zoom Video Communications now faces a number of privacy-related lawsuits for its purported failures.

Zoombombing may be dismissed by some as simply insidious or antisocial behaviour. However, the fact that participant data has allegedly been shared by Zoom without informed consent and that our video calls and virtual meetings could potentially be eavesdropped on through encryption shortcomings should ring alarm bells. Zoom and related technologies are used to host commercially sensitive company meetings, conduct virtual medical consultations with patients, hold private discussions with family and friends, and even run countries (as Mr Johnson has shown). Highly sensitive business and personal data flow across these networks every second of the day and are at serious risk if misused by those we entrust the data to or if their technologies fail.

Who is responsible for any cybersecurity problems and what remedies may be available in the event of a breach, however, is a complicated issue.

In respect of Zoom, the company is based in the US. Jurisdictional issues would therefore arise for any UK parties contemplating action against them. Furthermore, Zoom’s terms and conditions state that the company makes no warranties in respect of the fitness of its product for any purpose, and that users are responsible for any damage resulting to them from their use of Zoom’s services. Zoom’s liability waivers will add complexity to any action brought against Zoom in the event that a party’s data is unlawfully exposed.

In a European legal context, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR 2003) (as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) (SI 2011/1208) affords users some rights and protection in the event of a data breach. This applies to providers of electronic communications services. The definition of such providers is given in Regulation 5(1) PECR 2003 as one that provides ‘a public electronic communications service’, and in the Communications Act 2003 as one providing ‘a service consisting of, or having as its principal feature, the conveyance by means of an electronic communications network of signals, except in so far as it is a content service’. In other words, those that transmit speech, sound and visual images, et cetera, although not where the service is a content service, such as an online newspaper or broadcaster.

Companies that provide a number of the digital services that many of us now rely on as home workers appear to fit within the definition of providers of electronic communications services under both PECR and the Communications Act, and in C-142/18 Skype Communications Sarl v IBPT the ECJ held that SkypeOut, an internet calling service, was an electronic communications service. Further amendments to the regulations planned for this year will expressly specify the inclusion of such ‘over-the-top’ services and will apply to all electronic communications service providers in the EU as well as non-EU providers providing such services to EU residents. These changes will broaden the protections afforded to users and overcome some of the concerns set out in respect of Zoom.

In the UK, where a personal data breach occurs in respect of an electronic communications service provider, the provider is obligated to notify the Information Commissioner’s Office (ICO) of the breach within 24 hours of detection, and the time limit must be strictly observed. The regulator has the power to fine service providers that fail to properly comply. In TalkTalk Telecom Group Plc v Information Commissioner [2016] UKFTT 110 (GRC), it was held that it would be wrong to read into the regulations a requirement that there should always be a period of investigation before notification.

If the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider must also notify the individuals concerned of the breach without undue delay.

Regulation 3 of the amended 2011 Privacy and Electronic Communications Regulations provides a broad definition of a personal data breach, defining it as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service’.

On this basis, a personal data breach may occur when a party unlawfully accesses a video meeting, whether by means of zoombombing or other forms of hacking. This could give rise to the notification obligations above. Under the related provisions of the General Data Protection Regulation 2018 (GDPR), a victim may also be able to claim compensation from a service provider if he or she suffers damage as a result of that provider breaking data protection laws.

However, there are some caveats.

Firstly, providers are not obliged to notify individuals affected by a security breach if the Information Commissioner confirms he is satisfied that the information was properly encrypted when the breach occurred (regulation 5A(6), revised PECR 2003). However, there is no strict definition of proper encryption.

Zoom’s service, for example, is not without encryption. Rather, its service does not always include end-to-end encryption, despite previous claims. Video and audio from your meeting are typically encrypted on their journey from your computer to Zoom’s servers. These data are also typically encrypted on their way from Zoom’s servers back out to the other participants in your meeting. The problem is that in certain meetings these data are not encrypted while they are being handled by and processed on Zoom’s servers, and some data (for example, that travelling to or from a telephone participant) may not be encrypted at all. Zoom would undoubtedly say that it has other measures in place to ensure the security of unencrypted data when on its servers. Whether or not the Information Commissioner would agree is uncertain, muddying the question of whether a victim of a data breach would have any right to notification or a remedy.

The second caveat is that a data breach may not be the fault of the videoconferencing provider at all. It is possible, for example, for someone to join certain Zoom meetings with just the meeting ID number. The end-users of a product often play a significant part in data breaches, by exposing their credentials or by failing to maintain adequate and up-to-date antivirus and malware protection on their devices, thereby allowing them to become compromised. If a participant publicly shares the ID number for their Zoom meeting, as the Prime Minister did, and unwanted guests join their video conference as a result, the user will have an uphill battle demonstrating to the courts that the service provider enabled this cyberbreach.

However, as employees, patients and the like are unlikely to have played a part in choosing the videoconferencing technologies their employers and medical consultants use, they may be able to take action against their employer or consultant under the GDPR in the event of a data breach that wasn’t of their own making.

Stepping through the relevant parts of the GDPR in the context of an employment example:

  • A video conference by its very nature contains ‘personal data’ as per Article 4(1) of the GDPR. That is, information relating to an identified or identifiable natural person. In addition to video and audio data, it is apparent from the lawsuits being brought against Zoom that less-obvious personal data may also be involved, such as participants’ names, email addresses or location information.
  • When employees participate in a video conference, their personal data can be subjected to ‘processing’ (Article 4(2)). For example, when it is recorded, retrieved, used, transmitted or otherwise made available in the manner set out in the GDPR.
  • An employer that determines the purposes and means of processing of employees’ personal data, for example by mandating the use of Zoom for virtual meetings, is the ‘controller’ under Article 4(7).
  • The controller is responsible for ensuring, inter alia, the integrity and confidentiality of their employees’ personal data. (See, for example, Article 5(1)(f).)

An employee that suffers material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation under Article 82(1). Consequently, an employee whose personal data is exposed when a third party breaks into or unlawfully accesses a work video conference may be able to claim against their employer for its failure to ensure the integrity and confidentiality of their personal data.

Article 82(3) may provide the employer some protection, in that a controller shall be exempt from liability if it proves it is not in any way responsible for the event giving rise to the damage. However, the need for the employer to prove it is not in any way responsible is a high bar to clear. Certainly, it would be highly relevant and very important to an employer’s defence if the breach occurred on (say) Zoom’s servers. That said, whether any hardware (that is, the computers or other devices employees use) that an employer provides to its employees is of sufficient technical specification to operate securely may also be relevant. Older devices may not support the latest encryption standards, for example, and can thereby be vulnerable. Whether antivirus and malware software was provided by the employer to minimise hacking and snooping by third parties may also be subject to scrutiny, as could staff training on how to stay safe when working online from home.

In the first instance, the cybersecurity risks that arise from the use of videoconferencing, online collaboration tools and chat systems for home-working need to be tackled by users and in particular employers. Zoom and its counterparts have roles to play, but we can all take steps to increase privacy and security when working from home. For example, by password-locking our computers when we’re away from them; enabling software that allows devices to be remotely wiped or disabled if they’re lost or stolen; and by ensuring that we do not tweet photographs of ourselves using videoconferencing software where our meeting IDs or any other part of our security credentials are visible.

A UK government spokesperson stated earlier this month that National Cyber Security Centre guidance showed no security reason for Zoom not to be used for government communications with staff and for cabinet meetings, and UK officials added that the risks of not communicating in the middle of fast-moving events far outweigh the possible security risks of using such a system. However, given the present uncertainties, we should all ask ourselves whether a particular communication tool or channel is appropriate for sharing information of an especially confidential kind, and before we share it we should consider what steps we have taken to minimise the risks of our personal data being exposed.

First published by New Law Journal, 17 April 2020.

Paul Schwartfeger on 24 April 2020