Security and data protection:
Guidelines for virtual Events

Thursday, February 10, 2022

Thomas Neuwert

Reading time: 04:06 minutes

Introduction

Virtual event platforms are experiencing a sudden surge in usage as the COVID-19 pandemic causes people around the world to interact via the Internet. In one of the fastest technological developments ever, these platforms are suddenly being used for many new purposes.‍

Companies are encouraged to use these types of digital events, and thus these technologies, even though many of these platforms have insignificant security and privacy deficiencies. Many of these systems have limited security and privacy controls that may have been sufficient when they were used only occasionally.

As a result, virtual event tools suddenly come under scrutiny, sometimes due to security or privacy flaws that have been noticed in the past. Any platform that is widely used can become a target for attacks, trolling, disruption, and surveillance.  

Many new users, agencies, and visitors alike, of digital event platforms are not familiar with the use of these technologies or the basic principles of online security and privacy. In most cases, adoption is done quickly and out of necessity, without much opportunity to consider important issues such as security training, privacy threats, or laws such as the European Union’s General Data Protection Regulation (GDPR) and the U.S. Family Educational Rights and Privacy Act (FERPA).

Virtual events pose special requirements and problems

Let’s focus on the security and privacy principles that are particularly relevant for virtual events. We put less emphasis on general principles, such as classic programming errors and best practices for regular patching. Although these can be just as important, we do want to focus on special requirements for virtual events in this article.  

Virtual events are distinct from many other forms of Internet communication as well as face-to-face meetings or traditional conference calls, in the following ways:

  • Virtual events should recreate the charm and conviviality of in-person visits or meetings as much as possible. This encourages the active use of audio and video connections, which can reveal details about the participants, their homes, and in rare cases, their families.
  • Simple configuration or user errors could violate the privacy of the participant or the confidentiality of others. Something that is displayed, even briefly, could be revealed in a record that is detailed as opposed to a quick glance at a person’s screen as it might be done in person.
  • All platforms typically offer recording capabilities, which carry the risk that information that may be shared privately in the meeting may later be seen by people who were not invited. Even platforms that do not offer recording capabilities are vulnerable to recording. When third-party applications are employed, for example, participants are frequently unaware that they are being recorded.
  • Because the wealth of information collected by these systems can be very large, the collection, use, and possible sale of personal information to third parties by these platforms can have more far-reaching implications than similar practices by other services.
  • Some meetings are attended by people from many organizations and even members of the public. Connection information is often shared in an insecure manner. The risk of intrusion and, for example, “Zoombombing” (cyber-attack on video conferencing applications) remains.
  • It is often difficult to verify the identity of participants. In many cases, participants can provide any name, and the list of participants often changes from one session to the next. For this task, the controls for verifying participants are often inadequate.
  • In rare cases, platforms allow potential participants to view personal information of other participants, partly to compensate for the loose definition of who is qualified to join.  

Problem categories

The following categories & principles in the field of security and data protection are defined based on the above-mentioned characteristics:

  • Risk assessment and creation of realistic threat models
  • Implementation of defence strategies
  • Guarantee ease of use of security controls and functions
  • Ensure finely graduated access control
  • Control of the individual over the disclosure and archiving of personal data
  • Consideration of privacy and integrity of information
  • Minimization of data collection and dissemination
  • Safety by design
  • Sensitive information should be short-lived

Whitepaper: Basics for securing and protecting data on event platforms

To help you assess the risks of virtual platforms, we have compiled a list of recommendations and principles. This guide will help you do design a safe and compliant virtual event. Download the whitepaper now: