Over the past few years, the Digital Lab evaluated and test a number of products and services informed by criteria, indicators and testing processes from the Digital Standard. To bring more transparency to the Digital Standard, we are launching a series of case studies aimed to highlight examples that will help clarify:
- Problems & Context: What type(s) of problems with products and services does Consumer Reports look into for further testing and evaluation ?
- Processes & Methods: What processes or methods does the team use to evaluate and investigate products and services?
- Impact: What type of impact do the product and service evaluations have on stakeholders like industry practitioners, manufacturers, and policymakers?
- Using The Digital Standard: How was the impact of this work informed by the Digital Standard?
Our first case study dives into videoconferencing services.
CR evaluated videoconferencing privacy policies and found these services may collect more data than consumers realize
Project timeframe
March — May 2020
Problem
As of mid-April 2020, 95% of the American population are under orders to stay home. This new reality has triggered a spike in people accessing videoconferencing services. Zoom has received a significant amount of attention, but other major companies with competing services — Cisco, Google, and Microsoft — require similar scrutiny.
Consumers are caught in a difficult place. For millions of people, a videoconferencing service is the lifeline they need to stay employed, to access medical care, to keep in touch with family and friends. For many students — from pre-K through graduate school — videoconferencing, though not the only method of teaching interaction (e.g. one way video instruction or sending activities via email), is a central part of their education and connecting with classmates and teachers. If a person does not want to use a videoconferencing service out of privacy and security concerns, they may not be able to access classes, show up for a job, gain access to medical care or maintain contact with friends and family.
Consumers should be able to trust that companies will provide clear, simple language that shows how they respect and protect user privacy and security. There was an opportunity in the market for videoconferencing services to distinguish themselves as a leader in respecting user privacy as a core foundation of their business. Consumers deserve access to these services without sacrificing the privacy or security of their personal data and information.
[Excerpts gathered from CR Medium Post: We read the privacy policies of Skype, Meet, and Webex: 10 ways videoconferencing systems can better protect privacy for customers]
Process
Through a comparative analysis, we examined the privacy policies for three popular videoconference tools: Webex from Cisco, Skype from Microsoft, and Meet from Google. This comparative analysis was designed to identify potential risks and highlight areas where a lack of clarity creates doubt about how a company protects the privacy of its users. . This analysis does not imply every company is exploiting every possible loophole.
We conducted a comparative analysis on privacy policies since privacy policies create publicly defined commitments about a company’s values. If something is true in the privacy policy, it should be true in the product, the user experience and the technical architecture behind the service. There are areas where the actual intentions of a company and their current daily practices are not accurately captured in their privacy policies.
The criteria used for these areas for improvement are defined in this document. For specific details on the services and a breakdown of these privacy policies, we created more granular overviews of Skype, Meet, and Webex. These recommendations were framed in a way that is broadly applicable to any platform that offers video conferencing features.
Output & Impact
Sent a letter to Company CEOs highlighting 10 recommendations and changes: Based on the analysis, our policy team reached out to Google, Cisco and Microsoft, gave them an opportunity to make needed improvements and sent a letter to the company CEOs. The goal of this work was to ensure that these services make clear, strong commitments in the privacy policies to protect people who use and rely on these services. The letter included recommendations covering the following topics:
- Personal Data Leak.
- First Party Data Collection.
- Data Enhancement.
- Third Party Access.
- Implications of Employer or School Sponsorship of Service.
- Data Deletion and Retention.
- Differentiation Between Data Collected from Hosts Versus from Participants.
- Information Used for Product Development.
- Data that Can be Sold or Shared as Part of a Transaction.
- Access to Data for Machine Learning, AI Analysis, or Human Review.
Consumer Reports Article: It’s Not Just Zoom. Google Meet, Microsoft Teams, and Webex Have Privacy Issues, Too. This article highlighted CR’s previous privacy work with Zoom which is now fixing a number of privacy and security problems. It also summarizes some of the key recommendations for users to stay more private in video chats including picking one platform, using outside privacy tools, assume you’re being recorded and just make a regular phone call.
Manufacturer engagement:
In coordination with publishing the findings from the comparative analysis and sending a letter to the CEOs of Cisco, Google, and Microsoft, the Advocacy team also emailed contacts within each organization requesting a meeting to discuss the findings. We met with all three companies, with results summarized below.
- Cisco was the fastest to respond, and made some changes in short notice. These changes included adding clearer links to relevant policies from the sign up pages for WebEx, and providing a more accessible path to a document that provides greater detail about the data collection and use related to WebEx.
- Initial meetings with both Microsoft and Google allowed both companies to get a clearer understanding of the areas for improvement that were outlined in the comparative analysis, but as of mid-June 2020, neither Google or Microsoft has followed up with details about actions or improvements they have taken in response to this work.
Press release: Consumer Reports calls on Cisco, Google, and Microsoft to strengthen videoconferencing privacy policies and clarify how they are using personal data. The press release covered the report and highlighted the call-to-action letter to Cisco, Google and Microsoft.
How was this work informed by The Digital Standard?
This work incorporated several specific elements from the larger Digital Standard framework. Specifically, the comparative analysis used elements from the Privacy and Governance sections of the Standard:
To see The Digital Standard in full, please visit: https://www.thedigitalstandard.org/