Recent Posts

© Copyright 2019  Reel Holdings LLC All Rights Reserved

Using Google Meet, Zoom, Webex, Or Other Video Conferencing? Here’s How They’re Using Your Data

Event planners along with businesses whose employees are now working from home are finding themselves in need of a videoconferencing platform. As the founder of the Suits & Spooks security conference, I’m definitely included in that group. My first question in evaluating which platform to move Suits & Spooks to was how private the data shared on the platform would be. If you’ve ever tried to read a Terms of Service or Privacy Policy, you know how difficult this process was for me to do.

I eventually discovered that all of the platforms that I looked at, except one, would use the data shared during an event in ways that I wasn’t comfortable with, and that I knew my speakers wouldn’t be comfortable with. Frankly, even after reading every platform’s ToS and Privacy Policy, I still wasn’t clear about what exactly was being collected and how it was being used in the marketing data supply chain run by Google’s Authorized Buyers Real Time Bidding Protocol (RTB), the Interactive Advertising Bureau’s OpenRTB and AdCom 1.0; and IAB Europe’s Transparency and Consent Framework (TCF).

Here’s What Happens

When you visit a website that serves ads, there will be a delay as the page loads. During that delay, usually just a matter of a few seconds, the website you are visiting has identified you using cookies, fingerprinting, and other tracking technologies and created a bid request, which is transmitted to the RTB where interested advertisers bid for the opportunity to display what they want you to buy.

The more detailed the bid request (meaning how rich the data about the website viewer is), the more attractive the bid is because rich data facilitates more accurate targeting.

The scale and complexity of RTB auctions is mind-boggling. According to Google, millions of bid requests leveraging multiple data sources that enrich individual profiles are processed every second. Billions per day.

NOTE: Bid requests contain personal data that is regulated under GDPR. There is no equivalent regulation in the U.S. except for the State of California’s CCPA at the time of this writing.

The Video Conferencing Services

Cisco WEBEX:

“We may share Registration Information, Host Information, and/or Usage Information with service providers, contractors or other third parties to assist in providing and improving the service. “

Specifics on what is included for your registration and usage information can be found in the Webex Privacy document at Cisco’s Trust Center. Note that Cisco will not reveal who the Third Party Providers are that they share your data with, but I can assure you that Google and Facebook are on that list along with dozens of other companies who participate in Real Time Bidding.

Zoom

“Whether you have a Zoom account or not, we may collect personal data from or about you when you use or otherwise interact with our products (including):

  • Information commonly used to identify you, such as your name, user name, physical address, email address, phone numbers, and other similar identifiers
  • Information about your job, such as your title and employer
  • Credit/debit card or other payment information
  • Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products)
  • General information about your product and service preferences
  • Information about your device, network, and internet connection, such as your IP address(es), MAC address, other device ID (UDID), device type, operating system type and version, and client version
  • Information about your usage of or other interaction with our Products (“Usage Information”)
  • Other information you upload, provide, or create while using the service (“Customer Content”), as further detailed in the “Customer Content” section below

“Customer Content includes the content contained in cloud recordings and instant messages, files, and white boards, and shared while using the service.”

Google Ads is one of many Zoom partners, and passively collects the following information: “cookies and tracking technologies (further described below). Information automatically collected includes Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referrer URL, exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data.”

Additional information can be found at Zoom’s Privacy Policy page.

Google Hangouts Meet

Google’s Terms of Service: “Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.”

Basically, Google collects everything you do, everywhere you go, everything you say, for a singular purpose – to know what you’re going to buy next and put the most relevant ad in front of you when you’re ready to buy it. If you use Google Hangouts Meet, Google Voice, Gmail, or any Google service, your data feeds the company’s AI that powers Google’s RTB,

GDPR Privacy Concerns

The ICO is the U.K.’s data protection regulator, and it published a report on Ad Tech and Real Time Bidding in 2019 that detailed the following privacy issues associated with the passive collection of user data such as those described above in terms of GDPR compliance. The following is an excerpt from that report, and only a partial listing of what concerned the ICO most.

Special Category Data

“A proportion of bid requests involve the processing (either directly or by inference) of special category data, either at the point of collection or subsequently. Special category data is more sensitive than ‘ordinary’ or non- special category personal data, and needs more protection, as our guidance makes clear29. It also constitutes the area of greatest potential harm to individuals.”

“The schema used within both OpenRTB and the TCF, and Authorized Buyers, include fields relating to politics, religion, ethnic groups, mental health and physical health, among others.”

Lack of Transparency

“Organisations must understand, document and be able to demonstrate:

  • how their processing operations work;
  • what they do;
  • who they share any data with; and
  • how they can enable individuals to exercise their rights. 

“RTB also involves the creation and sharing of user profiles within an ecosystem comprising thousands of organisations. These profiles can also be ‘enriched’ by information gathered by other sources, eg concerning individuals’ use of multiple devices and online services, as well as other ‘data matching’ services. The creation of these very detailed profiles, which are repeatedly augmented with information about actions that individuals take on the web, is disproportionate, intrusive and unfair in the context of the processing of personal data for the purposes of delivering targeted advertising. In particular when in many cases individuals are unaware that the processing takes place and the privacy information provided does not clearly inform them what is happening.”

The Data Supply Chain

“A single RTB request can result in personal data being processed by hundreds of organisations. The implications and risks for transparency and fair processing are summarised above. In this section, we summarise security and data sharing issues caused by this data supply chain.

“As described in the previous section, the IAB Europe global vendor list comprises over 450 organisations, each with their own privacy policy. Some of these will be in non-EU jurisdictions, meaning that international transfers of personal data are taking place. As bid requests are often not sent to single entities or defined groups of entities, the potential is for these requests to be processed by any organisation using the available protocols, whether or not they are on any vendor list and whether or not they are processing personal data in accordance with the requirements of data protection law.

“The nature of the processing is what leads to the risk of ‘data leakage’, which is where data is either unintentionally shared or used in unintended ways. Multiple parties receive information about a user, but only one will ‘win’ the auction to serve that user an advert. There are no guarantees or technical controls about the processing of personal data by other parties, eg retention, security etc. In essence, once data is out of the hands of one party, essentially that party has no way to guarantee that the data will remain subject to appropriate protection and controls. 

Summary

Every video conferencing service uses targeted advertising via RTB and OpenRTB. You have certain opt-out options if you take the time to find them, but we all know that most people don’t bother. As the organizer of a security conference where sensitive data is often shared, I couldn’t host a Suits & Spooks event on any of the above platforms.

My solution turned out to be Wickr Pro. They offer end-to-end encryption so everyone who participates can be assured that no information is stored on Wickr’s servers nor can be scanned for passive collection, nor do they share data with any third parties. Here’s a brief look at their Privacy policy.

Wickr Pro

  • Neither Wickr nor the organization with which you are affiliated have access to secure rooms and messages you transmit by using the Service. Your messages are protected with multiple layers of encryption before they are transmitted to our servers, which is intended to make the messages only accessible to the intended recipient(s). If additional users are added to a secure room by you or by another user, then those users will be able to see the messages shared within that room as well. Please note that users can only see the messages transmitted within a secure room from the moment they joined the conversation.
  • Information about you such as your email address and business affiliation will be provided to us by the organization that you are affiliated with for the purposes of creating your account. This information may also be available to other users of the service. For information about how the entity or organization that you are affiliated with uses this information, please consult directly with that entity or organization.
  • You control how long your messages are viewable and how long secure rooms are active before they expire or are manually deleted. The upper limit of messages’ lifespans may vary depending on the Wickr service provided to you by the organization with which you are affiliated.
  • We do not share or sell customer data to any third party for any purposes.

I’m pleased to announce that Suits & Spooks first online event called SAFE HOUSE will be hosted on Wickr Pro and take place on May 7th. It’s going to be an exciting experiment with speakers and attendees from all over the world. More information can be found at SuitsandSpooks.com.

No Comments

Sorry, the comment form is closed at this time.