Thank you, Madam Chair and committee members for the invitation to speak to you today.
You're currently studying ways in which members can best fulfill their parliamentary duties during the COVID-19 pandemic. You're looking at the temporary modification of your procedures and technological solutions to support a virtual Parliament. We've been asked to speak to you today about privacy issues related to web-based video conferencing platforms as you consider potential solutions.
At this time, we're all navigating and adapting to a new reality of social distancing. Many of us have turned to video conferencing services for both personal and professional use. Governments and parliaments around the world are also using these efficient and readily available platforms to carry out important work.
We often see a connection between the privacy concerns and the cybersecurity risks and vulnerabilities of these platforms. These types of digital solutions are widely available and seamless to use, which explains their surge in popularity. However, there have also been reports of privacy and security issues related to their use. These issues stem from flaws with end-to-end encryption and data collection or sharing practices embedded in the terms and conditions. Specific risks along these lines would be unique to each video conferencing service in question. Any tool has its pros, cons, strengths and vulnerabilities.
There is a good reason to be prudent when considering cybersecurity concerns or vulnerabilities with any particular technology option. There have also been reports that the COVID-19 crisis has created new opportunities and motivations for cyber-attacks, which only increases the importance of ensuring there are adequate safeguards in place to protect against unauthorized breaches of personal information.
As you consider various technological solutions to support a virtual Parliament during this pandemic, it will be important to bear in mind that certain solutions may not be equally suitable for all situations. Parliament should first determine its needs and then assess the technical safeguards, the potential security risks and the privacy policies of each service before selecting a particular platform.
For situations that would involve government discussions requiring secure communications, I would defer to our government cybersecurity experts to provide specific technical expertise on appropriate solutions to support the work of Parliament. I would only add that a self-hosted web-based video conferencing system solution is generally more secure than using a web-based video conferencing system offered by a provider, because there is more ability to control certain technical features and, therefore, to adapt it to your specific needs.
If options other than self-hosted solutions are being considered, such as the numerous web-based video conferencing services that are broadly available, they should generally be reserved for public matters only.
A number of measures can be taken to protect privacy even when a system is used for public meetings. In such cases, we recommend the following:
The committee should conduct a careful review of the video conferencing service's privacy policies and terms of use to understand the terms for the collection, use and disclosure of personal information and third party contractual arrangements.
When using a private messaging feature during a video conference, pay particular attention to whether the messages remain private. Some messages may form part of the transcript of the meeting, and thus ultimately be more broadly available than the author intended.
For public committee meetings or House debates, the host—or in your case the chair of the committee—can prevent “Zoombombing,” gate crashers or other unwanted activities by disabling certain features such as “join before host,” screen sharing or file transfers.
Members who participate in a video conference should be careful about their own environment, such as where they sit. The people and items visible in the background can reveal a great deal of information.
Lastly, if members are using a web browser to participate in video conferences, it would be best to open a new window with no other browser tabs. Ideally, they should also close other applications to avoid inadvertently sharing notification pop-ups—showing, for example, new incoming emails—with other participants and the video conferencing service provider.
The Office of the Privacy Commissioner of Canada is currently preparing a list of best practices for individuals to mitigate common privacy and security concerns associated with web-based video conferencing systems. However, on their own, these measures don't guarantee that all privacy and cybersecurity risks would be adequately addressed, particularly in situations requiring secure communications. A more secure solution would likely be necessary.
Thank you for the opportunity to appear before you today. I now look forward to answering your questions.