Lawyers utilise secure video conferencing for exchanges with their clients or peers. But what are the criteria to ensure the security of communications and the data of the individuals involved in legal proceedings?
Confidentiality of video conferencing for lawyers
The confidentiality of communications is the primary criterion for choosing a secure video conferencing tool for lawyers.
Lawyer consultations
When a consultation between a lawyer and their client cannot be held in person, due to personal constraints or time savings, the consultation can be conducted remotely. In this context, it must allow both parties to exchange information easily and confidentially. End-to-end encryption of audio and video communication streams is therefore essential: thanks to this technology, only the participants in the online meeting have access to the exchanges.
Document sharing
In the context of legal proceedings, a lawyer may need to exchange documents with their client or colleagues. The transmission of legal files also requires end-to-end encryption, to prevent any external interception.
Discussions among colleagues and peers
Lawyers also need to exchange information with colleagues, whether on the move or working remotely. They are also led to discuss with other professionals in the justice sector, such as bailiffs or clerks. All these online meetings deal with legal files that also require the highest security.
The use of a video conferencing solution also involves the collection and processing of personal data from individuals involved in legal proceedings.
GDPR Compliance
It is crucial for legal professionals to ensure that the integrity of the personal data of individuals involved in legal proceedings is respected. For lawyers, in particular, this corresponds to respecting professional secrecy and the legal process. Therefore, the secure video conferencing tool used to discuss legal cases must be fully GDPR compliant.
Indeed, most video conferencing software hosts their data outside European territory and are then subject to lenient extraterritorial data protection laws. This is the case with the US Cloud Act: this series of extraterritorial laws allows American authorities to compel publishers located on American territory to provide data related to electronic communications, stored on American or foreign servers.
At any time, user data can thus be compromised.
Tixeo responds to CCBE’s questions about secure video conferencing for lawyers
As part of its guidelines on the use of remote working tools, the Council of Bars and Law Societies of Europe (CCBE) has compared the general conditions of frequently used video conferencing tools. This resulted in 6 questions that lawyers should ask themselves before choosing a secure video conferencing solution.
Tixeo, a secure, certified, and ANSSI-approved video conferencing solution, has chosen to respond:
To what extent are the applicable general conditions accessible and transparent?
Tixeo’s general conditions are available on request, depending on the offer concerned. Furthermore, its privacy policy, which concerns clients and users of the solution, is available on its website.
Who is responsible for data processing?
Depending on the cloud video conferencing offer chosen, Tixeo is either the data controller or processes personal data on behalf of its clients. In the context of its on-premise video conferencing offer (TixeoServer), the clients are responsible for processing the personal data of their users.
Where is the data stored?
All personal data collected and processed by Tixeo is hosted in France. Its secure cloud video conferencing offer benefits from ANSSI-certified SecNumCloud hosting.
To what extent do platform providers sell or share personal data?
Tixeo never sells or transfers personal data to a third country, except to Switzerland, which benefits from an adequacy decision. Data can therefore be transferred to our partner Ubcom in Switzerland, only with the explicit consent of the concerned individual.
What surveillance might the data held by cloud platform providers be exposed to?
None. Indeed, user data benefits from the protection of French hosts, committed to data security, GDPR compliant, and SecNumCloud certified.
What is the technical security level of the video conferencing platform?
Tixeo is the most secure video conferencing solution on the European market. Designed according to a Secure by design approach, it integrates security at every stage of its design to its deployment in organisations. Its proprietary end-to-end encryption technology ensures total confidentiality of exchanges, regardless of the number of participants in the online meeting. Lastly, Tixeo is 100% GDPR compliant.
Organisations in sensitive sectors such as defence, industry, or justice now trust Tixeo for their confidential communications.
The gathering of information related to the scientific and technological activity of a nation undermines its stability and competitiveness. Discussed at the last Five Eyes summit, protecting the scientific and technical potential of nations requires maximum cybersecurity measures.
Since 2011, France has implemented the Protection of Scientific and Technical Potential (PPST). This regulatory security mechanism, inter-ministerial in level, led by the General Secretariat for Defence and National Security (SGDSN), is distributed across 6 different ministries:
Ministry of Agriculture
Ministry of Defence
Ministry of Sustainable Development
Ministry of Economy and Finance
Ministry of Health
and Ministry of Higher Education, Research, and Innovation
It aims to prevent any leakage or attempt to capture these sensitive pieces of information, notably through the creation of Restricted Regime Zones (ZRR). In these areas, such as research or production sites that are of great interest to the nation, strict control over physical or virtual access to sensitive information is enforced. The PPST complements other security systems like those for the protection of Vital Importance Organisms (OIV) or national defence secrecy.
What are the risks if these sensitive pieces of information are exposed?
If captured, this information related to the technical and scientific potential of the nation can be diverted for purposes of destabilization or criminal activities. The risks are classified into 4 categories:
Damage to the nation’s economic interests
Development of military arsenals
Proliferation of weapons of mass destruction
Terrorism
Sectors Affected
Various scientific and technical sectors are therefore covered by the PPST:
Biology,
Medicine,
Health,
Chemistry,
Mathematics,
Physics,
Agronomic and ecological sciences,
Earth, universe, and space sciences,
Information and communication science and technology,
Engineering sciences…
Thus, research laboratories, companies, and universities must be protected from the risks of data interception.
Protecting Scientific and Technical Potential from Cyber Espionage
Access to ZRR can be physical but also virtual. Therefore, the security of information systems is a major challenge in protecting the scientific and technical potential from cyber espionage.
Securing Restricted Regime Information Systems (SIRR)
A Restricted Regime Information System (SIRR) transmits Restricted Regime Information (IRR), i.e., sensitive information whose disclosure would present one or more of the previously mentioned risks. Therefore, their access constitutes virtual access to a RR zone. It is noteworthy that SIRRs are subject to the inter-ministerial instruction no. 901 on the protection of secrecy and national defence.
The ANSSI’s guide on the digital protection of the nation’s scientific and technical potential lists security measures to be implemented by organizations with a SIRR. Among these, the deployment of an information systems security policy (PSSI), listing all the good practices and computer security procedures to be followed by employees and other stakeholders.
Indeed, SIRR encompasses all types of supports and electronic equipment such as laptops, USB keys, or servers and therefore assumes parallel cybersecurity awareness for users.
Examples of Security Measures to Implement:
Encryption of communications
Encryption of hard drives of workstations
Access control
Ensuring the Security of Workstations
Workstations contain a number of sensitive pieces of information that must be protected. ANSSI, through its guide, emphasizes the importance of deleting all the data present on a workstation before reallocating equipment. Similarly, it is crucial to revoke access rights to information systems as soon as a user’s employment period ends.
Using End-to-End Encryption Technology for Communications
Communication tools deployed in companies, especially in RR zone establishments, must meet the highest level of security. Firstly, the solution used must be Secure by design and thus meet a number of security criteria, from its design to its deployment in the organization. This significantly reduces or nullifies its impact on the company’s network security. Moreover, communications exchanged over online messaging or video conferencing are targets of computer and industrial espionage. Only end-to-end encryption technology for audio, video, and data communication flows can prevent the retrieval of this data.
Demonstrating the Utmost Reactivity in Case of Attack
In the event of a cyber crisis, a secure and emergency communication solution is also essential to ensure the continuity of the establishment’s activities. It should allow employees to continue their exchanges through an “out of band” communication channel, i.e., different from the one usually used.
The secure video conferencing software Tixeo meets this need. Thanks to its sovereign end-to-end encryption technology and its highly secure deployment in on-premise version, it supports establishments in their crisis management and cyber resilience.
First Five Eyes Summit on the Subject in 2023
On October 16 and 17, 2023, the first-ever Five Eyes summit on the theme of protecting the nation’s scientific and technical potential took place. At this summit, the five countries of the coalition (United States, United Kingdom, Canada, Australia, New Zealand) alerted to the threats weighing on innovation and research. In particular, the Chinese government was targeted as the main danger to innovation and the interests of nations.
“The Chinese government is engaged in the most sustained and sophisticated theft of intellectual property and acquisition of expertise in human history,” stated Mike Burgess, director-general of Australian intelligence services. Indeed, industrial espionage operations, originating from China, are experiencing an unprecedented increase. “The sectors of artificial intelligence, quantum computing, and synthetic biology are particularly targeted at the moment, according to senior officials.” A resurgence of state-sponsored cyber espionage that also spares no European countries. The document “Five Principles for Securing Research and Innovation” was published at the end of the summit and presents several recommendations to maximize the protection of scientific and technical potential. Among them: knowledge and management of cyber risks, protection of the work environment, awareness of collaborators, and securing partnerships, suppliers, and service providers.
Opinion piece by Jean-Philippe Commeignes, Commercial Director @Tixeo
Europe, struck by the war in Ukraine for nearly two years, has been experiencing an intensification of the terrorist threat for several weeks following the outbreak of war between Israel and Hamas. In this extremely tense geopolitical context, the statement by the Minister of the Interior in a recent interview about access to data and encrypted messaging conversations has put back on the table the binary question of balancing privacy protection and the need for security.
The fundamental issue is not so much the debate on the unlikely negotiation of access to public encrypted messaging, but the strict control of the use, sale, and export of cutting-edge surveillance technologies. These technologies, beyond circumventing the encryption problem, represent a dangerous temptation within the European Union, as highlighted by Sophie in ‘t Veld, a Member of the European Parliament, in her latest opinion piece on the risks of this industry.
Global War on Terror and Mass Surveillance
After September 11 and the launch of the war on terror by the USA and its allies, the demand for surveillance and intelligence solutions exploded. A 2017 Privacy International report counts several hundred companies in this sector created between 2001-2013, 75% of which are from NATO countries. The approach, tinged with American techno-solutionism to address the threat, led to the implementation of mass surveillance programs revealed by whistleblower Edward Snowden in 2013, then employed by the famous NSA agency. This also revealed the role of major American platforms in this data collection.
Uncontrolled Changes in the Post-Snowden World
These revelations had two major effects:
• The gradual generalization of encryption, even in consumer solutions, making authorities more “blind” in technical collection, and prompting states to have means of circumvention;
• The tightening of data protection regulations, through the General Data Protection Regulation, positioning Europe as a standard-bearer for privacy protection worldwide.
Concurrently, the rapid adoption of smartphones, messaging, and social networks facilitated the coordination of social movements like the Arab Spring, creating a stronger demand from authoritarian countries for solutions to contain them.
“The Cyber Surveillance Industry Has Adapted Across the Entire Value Chain”
The cyber surveillance industry has adapted across the entire value chain to meet both domestic and export markets, in a mix of business and foreign policy. It’s a market with layers.
Extract from the Digital Violence platform
The first is the research and acquisition of unknown computer vulnerabilities to publishers, called 0-day, which allow those who hold them to compromise targeted software and equipment without user action (0-click). The second is spy software that uses these vulnerabilities as invisible vectors to deploy their real-time surveillance tools.
This was highlighted twice thanks to the work of journalist consortia and NGOs like Amnesty International. The first time in July 2021 by Forbidden Stories and 17 media outlets as part of the Pegasus Project, named after the spyware developed by Israeli company NSO. The second time, a month ago, in the context of the Predator Files, named after another type of software, this time developed by a consortium of companies based in Europe, particularly in France, Intellexa. This is emblematic of an ecosystem still adrift and used for political purposes. The Digital Violence platform, developed by Forensic Architecture, allows for a frightening but salutary immersion.
Today, the cyber surveillance industry market is estimated at $12 billion according to the director of the Citizen Lab.
The PEGA Commission and Its Recommendations Against Illiberal Temptations in Europe
The work of the Parliamentary Commission on Spyware, called PEGA, following the Pegasus scandal, has highlighted the main problems within the European Union.
Domestically
First, domestically, with the confirmation that 14 European countries and 22 security agencies had acquired this type of software and that 5 member countries had used it against civil society in disregard of the law and institutions. This underlines that even our democracies can be seduced by tools that bypass the indispensable control for legitimate and proportionate use, sometimes relying on a very broad definition of the concept of national security.
Internationally
Internationally, they showed the limitations of the EU’s export rules for these technologies, both permissive and without homogeneous application within member states. This allows for the implementation of opaque company structures to take advantage of these weaknesses for easier export.
A recent report by the Carnegie Endowment for International Peace indicates that EU member states granted 317 export authorizations in this segment between 2015 and 2017, compared to only 14 refusals. It also indicates that these exports are primarily to countries where human rights are secondary.
This is Europe’s paradox: being a model promoting democracy and human rights protection while importing and exporting, without strict control, the means of its regression.
Bossware makes it possible to monitor an employee’s activity remotely. The use of spyware is more widespread than you might think, especially since the advent of teleworking and AI. How can they be detected and what are the risks?
What is bossware?
Bossware” is the term used to describe software designed to monitor employees. Installed on the workstation, it collects a maximum amount of data on the worker’s activity, with the aim of obtaining an overview of their productivity. This spyware can record all online activity, keystrokes, mouse movements and even, in some cases, take random screenshots and record audio or video.
Widely used since the widespread deployment of teleworking in 2020, it enables managers to keep an eye on their employees from a distance. Now, with the development of artificial intelligence, surveillance can go even further. For example, some “bossware” software, such as Veriato, is capable of analysing worker data to assign them a “risk score” for the company’s security. Others can send alerts if the worker does not seem to be behaving appropriately at their post.
Spyware not always detectable
Bossware can be deployed visibly or silently. With visible surveillance, workers are aware that their activity is being monitored. In certain configurations, they can even act on the software by pausing it, for example. Conversely, with silent surveillance, employees are not aware that they are being “spied on”. The software may therefore have been installed remotely on their workstation without their consent.
Authorised in the United States: and in Europe?
In the United States, employers can easily force employees to install this type of software on their workstations. However, laws are now being introduced to limit their use by requiring companies to be transparent.
The GDPR also protects employees
In Europe, employee surveillance is not clearly legislated. Nevertheless, the General Data Protection Regulation (GDPR) can serve as a reference on the subject. This regulation defines the conditions for the collection, use and transfer of personal data and provides a framework for data processing operations, including those relating to employee monitoring. In this way, employee consent to the processing of their data is absolutely required. However, as the European report ” Employee monitoring and surveillance: The challenges of digitalisation “it is up to each [EU] Member State to put in place specific data protection provisions“.
Controversial but still used
In France, “bossware” is highly controversial, but it is still widely used. According to a study carried out by Vanson Bourne for VMware, “63% of French companies with more than 500 employees have implemented surveillance tools”. Nevertheless, the French Data Protection Authority (CNIL) regularly issues warnings about the use of this software. It points out that such surveillance must not “undermine respect for employees’ rights and freedoms”. Employees must therefore be informed before any surveillance tool is put in place. Surveillance in the workplace is one of the main reasons for complaints to the CNIL.
But Europe’s leading country for employee surveillance is Spain. According to the same report, “40% of Spanish companies have installed spyware”, compared with 15% in Germany and 26% in the UK.
If an unrecognised piece of software with a name containing a number of random numbers and letters is running in the background, it may be bossware. Note that many spyware programs are not detectable in Task Manager.
Download antispyware
If you are suspicious, anti-spyware software can be useful. It will scan the device and be able to identify the “bossware” as malicious software.
Monitor outgoing Internet traffic
Some Internet traffic monitoring software can detect unusual traffic and confirm suspicions.
What are the risks of using bossware to monitor employees?
Impact on employee productivity and well-being
The introduction of employee monitoring tools demonstrates a blatant lack of trust on the part of management towards employees working remotely. And yet, this mutual trust is essential if employees are to remain committed to the company and retain their loyalty. Surveillance, when it is visible, puts constant pressure on employees, pressure that can lead to exhaustion and burn-out. While management would like to control and act on their productivity, it is harming the well-being of its teams.
Data theft and breach of privacy
In France, employees have rights regarding the processing of their data, particularly under the RGPD. They should be aware of this and not hesitate to alert their representatives if they have any doubts about spyware in their company. The use of “bossware” leads to massive processing of personal content and data, which undermines respect for employees’ privacy. If this software is not perfectly secure, it can be targeted by cyber-attacks. As a result, data concerning both the employee and the company is liable to fall into the hands of malicious parties. Employers must protect employee data, whether it has been collected for recruitment, security or business monitoring purposes.
Conclusion: to combat bossware, promote trust and communication
In conclusion, bossware has been used a lot since the health crisis and is tending to develop with artificial intelligence. However, their effects can sometimes be harmful to employee well-being and undermine team performance.
On the contrary, the use of spyware should never be systematic for remote collaboration. It is essential that teleworking is offered in a climate of trust, in order to reap all the benefits in terms of productivity and quality of life at work. To achieve this, appropriate and secure management and communications tools are essential.
Preserving your company’s cybersecurity
The security risks of “bossware” are real. They can lead to the loss of personal data and have financial repercussions for the company.
Employees must remain aware of their rights regarding the protection of their privacy and personal data, and not hesitate to contact their representatives if they have any doubts about the use of bossware.
European businesses and organisations are facing an increase in state-originated cyberespionage attacks, predominantly from Russian or Chinese sources, which have escalated since the Ukrainian war. Key statistics of state cyberespionage include:
In 2022, 77% of state cyberattacks involved espionage operations. (source: cfr.org/cyber-operations)
9 out of 19 cyber defence operations involved China-linked groups. (source: ANSSI)
As of 2023, 83% of identified state cyberattacks are espionage-related. (source: cfr.org/cyber-operations)
The 2024 Olympics: A Forthcoming Challenge
80 critical entities are involved in the Paris 2024 Olympics, out of a total of 350 organisations. The cyber risk level may reach an unprecedented threshold during this period. European organisations, especially French ones, need to prepare now, as international state cyber threat actors might exploit this global event to conduct attacks, including cyberespionage, to destabilise the Olympics and potentially the nation’s equilibrium.
Cyber Resilience More Necessary Than Ever
European organisations must now prepare for the worst, particularly in the tense geopolitical context with the war in Ukraine and the Middle East. Strengthening cybersecurity measures is crucial. The ANSSI has announced conducting around sixty audits and distributing training kits to the 350 entities involved in the 2024 Olympics, including 210 healthcare establishments. The goal is to better identify risks and respond quickly and effectively, using “rapid remediation plans” to maximise organisational resilience and ensure continuity of operations.
Tixeo uses cookies in order to provide you with the best possible user experience. Tixeo does not use advertising cookies. For more information, please read our privacy policy.
Spoken language (Cookie strictly necessary)
The site uses a cookie allowing the user to choose the language of the site and to keep his choice. This is a strictly functional cookie.
If you disable this cookie, we will not be able to save your preferences. This means that each time you visit this site, you will have to enable or disable cookies again.
Statistics
The site uses the cookie "Google Analytics" only to carry out statistics of frequentation of the site. The refusal of the cookie has no consequence on the navigation on the site. The data is not transferred to a third party. Setting this cookie helps us to improve our website.
Please activate the strictly necessary cookies first so that we can save your preferences!
