A greater portion of the world’s work, organizing, and care-giving is moving onto digital platforms and tools that facilitate connection and productivity: video conferencing, messaging apps, healthcare and educational platforms, and more. It’s important to be aware of the ways these tools may impact your digital privacy and security during the COVID-19 crisis.
Here are a few things you should know in order to make informed decisions about what works best for you and your communities, and ways you can use security and privacy best practices to protect yourself and others.
EFF has written a lot about Slack’s data retention issues when it comes to free versions of the software. With so many mutual aid networks and organizing groups coalescing on Slack to support our communities, it’s important that users are aware that the company retains their messages if they're using a free plan—and they can't automatically delete them. By default, Slack retains all the messages in a workspace or channel (including direct messages) for as long as the workspace exists.
If you are using a paid workspace, you can change how many messages are retained in Slack’s databases by setting shorter retention periods. If you’re using the free version though, that option is not available to you. Additionally, free workspace users only have the ability to search through the most recent 10,000 messages. And while users can’t see messages sent prior to the 10,000 message mark, they are still available to Slack, law enforcement, and any third-party hackers through a data breach. Leaking or sharing of this data could prove catastrophic, especially for groups who are working to provide aid and support for our most at-risk communities.
The best way to stave off the effects of isolation is to maintain contact with friends, family, and coworkers. Zoom has quickly become a popular option to work and keep in touch with others in the midst of social distancing and shelter-in-place protocols. There are a few things to keep in mind when using Zoom, particularly in instances where users are relying on the conferencing tool for their studies, or for work-related activities.
The host of a Zoom call has the capacity to monitor the activities of attendees while screen-sharing. This functionality is available in Zoom version 4.0 and higher. If attendees of a meeting do not have the Zoom video window in focus during a call where the host is screen-sharing, after 30 seconds the host can see indicators next to each participant’s name indicating that the Zoom window is not active.
Administrators and User Tracking
Zoom allows administrators to see detailed views on how, when, and where users are using Zoom, with detailed dashboards in real-time of user activity. Zoom also provides a ranking system of users based on total number of meeting minutes. If a user records any calls via Zoom, administrators can access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges.
For any meeting that has occurred or is in-process, Zoom allows administrators to see the operating system, IP address, location data, and device information of each participant. This device information includes the type of machine (PC/Mac/Linux/mobile/etc), specs on the make/model of your peripheral audiovisual devices like cameras or speakers, and names for those devices (for example, the user-configurable names given to AirPods). Administrators also have the ability to join any call at any time on their organization’s instance of Zoom, without in-the-moment consent or warning for the attendees of the call.
Schools Moving to Online Learning
Surveillance shouldn’t be a prerequisite for getting an education. But even before more school districts started moving their classes and coursework to digital forums for purposes of social distancing, surveillance has become more and more common in schools. With the advent of COVID-19 and the associated uptick in distributed digital learning, the potential for this surveillance to ramp up is alarming.
This is true from kindergarten all the way through graduate school, though it is most prevalent and insidious in K-12 schools. School administrators are choosing to use tools and tactics that encroach on students’ privacy in ways that can break down trust amongst students and their peers, teachers, families, and administrators. Many K-12 schools offer or mandate the use of school-issued devices, and those devices come with pre-installed spyware that monitors all student activities and reports them to school administrators.
Many schools are already experimenting with mass surveillance technologies with no evidence, and no way for concerned parents and students to opt out. If your school is using or is considering using technologies like Bark, GoGuardian, Gaggle, Securly, or Social Sentinel, check out our guide to Privacy for Students. It covers many of the privacy and surveillance concerns that these technologies raise, with ways to minimize the data being tracked, risk mitigation strategies, and advocacy tactics.
Telehealth and Non-HIPAA Platforms
The HHS has altered HIPAA rules during the COVID-19 crisis, allowing health care providers to use applications such as FaceTime, Facebook Messenger, Hangouts, Skype, Zoom, etc so they are able to provide care to patients remotely:
During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules.
If your healthcare provider is using an application or platform that is not covered under HIPAA, check with them on what safeguards they have in place to ensure your privacy is protected, and what their plans and timelines are for moving to platforms that do fall under HIPAA compliance.
Tools for Assessing Risk and Staying Safe Online
One of the best things you can do to keep yourself and others safe during this crisis is to learn how to minimize risk. Many of the problems presented in this post can be mitigated or circumvented with careful consideration of the risks, employing “privacy as a team sport” tactics, and minimizing the data that corporations, employers, and others can track. Our resource site, Surveillance Self-Defense, is full of practical tips, tools, how-to’s, and explainers for communicating safely online. Here’s a list of useful guides with concrete steps you can take to get started:
- Evaluate and choose the tools you use to make sure they work for you.
- Learn about best practices for communicating with others and incorporate them into your routines and tools.
- Use a password manager to create strong passwords.
- Ensure that you have two-factor authentication (also known as 2FA) enabled for as many accounts as possible.
- Consider your needs and choose the VPN that’s right for you.
And lastly, remember—we’re all in this together. Take care of each other by safeguarding each others’ physical and digital health.