As of mid-April 2020, 95% of the American population are under orders to stay home. This new reality has triggered a spike in people accessing videoconferencing services. Zoom has received a significant amount of attention, but other major companies with competing services —Cisco, Google, and Microsoft— require similar scrutiny.

Consumers are caught in a difficult place. For millions of people, a videoconferencing service is the lifeline they need to stay employed, to access medical care, to keep in touch with family and friends. For many students — from pre-K through graduate school — videoconferencing, though not the only method of teaching interaction (e.g. one way video instruction or sending activities via email), is a central part of their education and connecting with classmates and teachers. If a person does not want to use a videoconferencing service out of privacy and security concerns, they may not be able to access classes, show up for a job, gain access to medical care or maintain contact with friends and family.

Consumers should be able to trust that companies will provide clear, simple language that shows how they respect and protect user privacy and security. There was an opportunity in the market for videoconferencing services to distinguish themselves as a leader in respecting user privacy as a core foundation of their business. Consumers deserve access to these services without sacrificing the privacy or security of their personal data and information. 

[Excerpts gathered from CR Medium Post: We read the privacy policies of Skype, Meet, and Webex: 10 ways videoconferencing systems can better protect privacy for customers]

Sent a letter to Company CEOs highlighting 10 recommendations and changes:

Based on the analysis, our policy team reached out to Google, Cisco and Microsoft, gave them an opportunity to make needed improvements and sent a letter to the company CEOs. The goal of this work was to ensure that these services make clear, strong commitments in the privacy policies to protect people who use and rely on these services. The letter included recommendations covering the following topics: 

1. Personal Data Leak.
2. First Party Data Collection.
3. Data Enhancement.
4. Third Party Access.
5. Implications of Employer or School Sponsorship of Service.
6. Data Deletion and Retention.
7. Differentiation Between Data Collected from Hosts Versus from Participants.
8. Information Used for Product Development.
9. Data that Can be Sold or Shared as Part of a Transaction.
10. Access to Data for Machine Learning, AI Analysis, or Human Review.

Consumer Reports Article:

It's Not Just Zoom. Google Meet, Microsoft Teams, and Webex Have Privacy Issues, Too. This article highlighted CR’s previous privacy work with Zoom which is now fixing a number of privacy and security problems. It also summarizes some of the key recommendations for users to stay more private in video chats including picking one platform, using outside privacy tools, assume you’re being recorded and just make a regular phone call.

Manufacturer engagement: 

In coordination with publishing the findings from the comparative analysis and sending a letter to the CEOs of Cisco, Google, and Microsoft, the Advocacy team also emailed contacts within each organization requesting a meeting to discuss the findings. We met with all three companies, with results summarized below.

• Cisco was the fastest to respond, and made some changes in short notice. These changes included adding clearer links to relevant policies from the sign up pages for WebEx, and providing a more accessible path to a document that provides greater detail about the data collection and use related to WebEx.
• Initial meetings with both Microsoft and Google allowed both companies to get a clearer understanding of the areas for improvement that were outlined in the comparative analysis, but as of mid-June 2020, neither Google or Microsoft has followed up with details about actions or improvements they have taken in response to this work.

Press release:

Consumer Reports calls on Cisco, Google, and Microsoft to strengthen videoconferencing privacy policies and clarify how they are using personal data. The press release covered the report and highlighted the call-to-action letter to Cisco, Google and Microsoft.