Is 100% GDPR compliant video conferencing possible?

Is 100% GDPR compliant video conferencing possible?

While 42% of Europeans are worried about the use of their personal data (according to this study published in 2022), being compliant with the GDPR (General Data Protection Regulation) is an increasingly important issue for companies. In the age of digitalization of work, this compliance is now a real guarantee of reliability.

Tixeo, the European leader in secure video conferencing, is 100% GDPR compliant.

To protect users’ personal data

When a video conferencing solution is used within an organisation, personal data are collected and processed.

The following is an example of personal data that may be processed by the solution provider

  • lists of participants in meetings,
  • their names and e-mail addresses,
  • the times and dates of videoconferences,
  • identifiers or passwords

Even before using the solution, personal data may already have been collected. For example, if a test or contact request has been made: the name, e-mail address or telephone number of the requester has been processed.

It is therefore essential to be aware of all the measures taken by the videoconferencing publisher to protect data.

An essential condition: the European origin of the solution

In Europe, the GDPR firmly regulates the processing of personal data.

In particular, it excludes any possibility of transferring data to a third country without a prior contractual agreement. The GDPR also requires publishers to notify all information relating to the personal data they collect, such as: the means of collection, the purposes, the legal basis and the retention period. European videoconferences are subject to this regulation.

Outside the European Union, video conferencing solutions are not subject to the GDPR.

Most of the major publishers, particularly those present in the United States, comply with foreign regulations, which are very flexible in terms of data protection. The Cloud Act is one of them. This series of extraterritorial laws allows the authorities, under certain conditions, to compel publishers located on American territory to provide data relating to electronic communications stored on American or foreign servers.

Tixeo offers full transparency on personal data processing

As an actor committed to video conferencing security, Tixeo puts GDPR compliance at the heart of its commitments. It is imperative that its customers, operating in sensitive and strategic sectors, benefit from an optimal protection of their users’ personal data.

All security measures are implemented, particularly internally, to ensure this protection. These measures include the encryption of the hard disks of staff workstations handling personal data and the verification of the compliance of subcontractors.

But it is not enough to say so!

Tixeo provides its customers and users with an easy-to-understand GDPR guide.

In this guide, you just have to select your profile (Tixeo customer, solution tester, videoconference guest…), to access, in one click, all the information about the processing of your personal data.

gprd compliant video conferencing

How does Tixeo process your personal data?

Discover your GDPR guide to learn more about how Tixeo uses your personal data

Should we stop looking at ourselves during videoconferences?

Should we stop looking at ourselves during videoconferences?

This is a question we can all ask ourselves, now that videoconferencing is part of our daily lives, especially when teleworking! Indeed, several studies have looked at this habit, observed during online meetings.

A way to measure self-confidence

“If you look at yourself during a video conference, you are necessarily a narcissist. Researchers at the Carson College of Business at Washington State University have challenged this assumption. At the end of 2020, they questioned a sample of almost 500 professors and students about their use of videoconferencing and their feelings. They found that people with a high level of self-confidence rarely looked at their own reflection. On the other hand, the more reserved participants tended to focus more on their image.

An obstacle to interaction?

Marketing experts from Columbia and Stanford Universities even found that participants in a video conference could spend twice as much time looking at themselves as they did at their interlocutors. A habit that could slow down long-distance interactions.

In conclusion, in a videoconference as in a face-to-face meeting, it is better to pay attention to your environment to get the most out of your exchanges!

If you are one of those people who are not comfortable with videoconferencing, you can try looking at the camera on your webcam when you speak. Another option is to move away from the camera to avoid the (usually unflattering) close-up effect that can be distracting.

Video conferencing spying: Glare from glasses to blame?

Video conferencing spying: Glare from glasses to blame?

A study recently showed that it was possible to access information displayed on the screen of a videoconference participant through the reflection of his or her glasses. A new spying risk to be taken seriously?

Sensitive data can be exposed

Researchers from the University of Michigan in the United States and Zhejiang University in China made this revelation. In a paper entitled “Private Eye: On the Limits of Textual Screen Peeking via Eyeglass Reflections in Video Conferencing” they explain that they “have successfully reconstructed and recognised on-screen text as low as 10 mm in height with a 720p webcam with an accuracy of more than 75%“. In other words, it would be possible for a participant in a video conference to read text with a font size of 28 points in the reflection of the glasses of another participant in the online meeting.

However, the study points out that a number of conditions must be met for the text to be readable. The brightness of the screen, the type of glasses or the ambient light are all criteria that will reduce the risk of spying.

Moreover, it is currently impossible for researchers to analyse texts with a font size of 9 to 12 points.

A cyber security risk that could increase in the future 

With technological advances, particularly those in 4K, researchers believe that it will be increasingly easy to read texts through webcams. This type of video conference spying is therefore likely to increase.

And for good reason: video conferences are full of data, often confidential, related to the activity of companies and organisations. The use of videocollaboration tools is now massively adopted: all company functions can therefore be targeted.

The security of video conferences in question

For the time being, this type of spying, via the reflection of the participants’ glasses, does not seem to be widespread. However, vigilance must be maintained regarding the security of video conferences.

Indeed, spying on online meetings, particularly through backdoors or security flaws, is a risk that is already very real. The end-to-end encryption of communication flows makes it possible to avoid any risk of espionage and data theft. A Secure by Design videoconferencing solution is also recommended: it incorporates security mechanisms from the outset to reinforce the reliability of the software.

[How does it work?] End-to-end encryption

[How does it work?] End-to-end encryption

Encrypting all audio, video and data communications exchanged during a videoconference is possible with Tixeo’s end-to-end encryption technology. But how does it work?

Why use end-to-end encryption?

During videoconference meetings, a lot of personal and confidential information is exchanged. Without protection, this data is vulnerable to interception and eavesdropping. This risk of intrusion has particularly serious consequences for companies, which may be exposed to data theft and industrial espionage.

Reliable technology for confidential exchanges

End-to-end encryption (E2EE) is a system for transmitting data (audio, video and data). It allows only the sender and the recipient(s) to decrypt this data without any decryption phase between them. Eavesdropping and computer espionage are impossible. It is the only process that guarantees total confidentiality of communications.


Tixeo video conferencing technology integrates true end-to-end encryption in a video conference, regardless of the number of connected users. Only meeting participants, who have the encryption keys, are able to access the exchanges. Tixeo, the editor, cannot intercept the communications either.

Tixeo’s unique end-to-end encryption architecture

Link encryption is done in TLS (Transport Layer Security). End-to-end encryption (client to client) of audio, video, and data streams is done in AES 256 (Advanced Encryption Standard 256), with a Diffie-Hellman key exchange. All data transmissions via Tixeo solutions are thus guaranteed to be at an optimal security level.

The key exchange “Diffie Hellman”

This is the mechanism chosen by Tixeo, used for end-to-end encryption key exchange. When a user logs in to his Tixeo account, a short-lived encryption key is assigned to him and stored on his device. It allows to encrypt all his audio, video and data communications.

To exchange with another user, the encryption key is communicated to the other user, and vice versa. If other users tried to access their communications, they would only see a string of unreadable numbers. The next time the user logs on to the software, a new encryption key is assigned.

No trace of the communications can be found thanks to this procedure.

The true or false of end-to-end encryption

Do all video conferences encrypt their communications?

False !

Some traditional video conferences claim to have end-to-end encryption of communications. In most cases, this is simple SRTP (Secure Real-time Transport Protocol) link encryption. In fact, this technology encrypts only the flows between the user and the communication server. It is therefore very easy to access the decrypted data when it passes through their servers. With Tixeo’s secure technology, the server relays an encrypted version of the exchanges that no one is able to decrypt if they don’t have the key.

Some traditional video conferencing systems are based on SIP or H.323 protocols. Because of this architecture, these systems cannot natively integrate end-to-end encryption mechanisms.

Tixeo is Secure by design

Tixeo video conferencing technology is Secure by design. Tixeo initially designed its architecture to allow true end-to-end encryption of communications, even in multi-point video conferencing. This architecture is based on the SVC on Demand (Scalable Video Coding on Demand) technology developed by Tixeo teams. This technology takes into account network quality, CPU performance and the size of the participants’ windows in order to offer the highest stability to communications.

Is end-to-end encryption not possible in some countries?

TRUE !

Outside Europe, data protection guarantees are limited. End-to-end encryption of communications is sometimes non-existent or prohibited.

For more than 20 years, the USA PATRIOT Act has potentially authorised the tapping of any type of electronic communication. Thus, US government agencies require national IT companies operating in the United States or elsewhere to provide (if necessary) means of data collection or “backdoors”. The risk of espionage is therefore high if one considers that these backdoors are likely to be used by malicious entities. Moreover, such eavesdropping is not limited to the United States. Companies in other countries are constrained by equivalent regulations.

Tixeo Secure Videoconferencing White Paper

To learn more about video conference security

The origin of an encryption technology therefore remains a crucial element to take into account when choosing a videoconferencing solution. In Europe, thanks to GDPR, no text prohibits end-to-end encryption, and no law can force a publisher to provide encryption keys. This legal framework is of paramount importance: it guarantees optimal protection against any attempt to eavesdrop.

Deepfake, zoombombing… access to a video conference must be controlled

Deepfake, zoombombing… access to a video conference must be controlled

Communications in an unsecured video conference can be listened to and recorded at any time. Access to online meetings should be controlled, just as it is for face-to-face meetings.

 

Video conferencing, a mine of information for cybercriminals

The use of videoconferencing is no longer occasional: it is a daily occurrence for most companies. Management meetings, team meetings, crisis meetings, financial reviews and business strategy presentations are all essential moments that are now organised in hybrid or remote mode.

In teleworking, the information exchanged daily between employees can also be strategic.

During these online meetings or virtual conferences, this multitude of sensitive data circulates. This is a goldmine for cybercriminals who will do anything to access it.

 

Unwanted intrusions into videoconferencing

During the health crisis, the phenomenon of “zoombombing” appeared in video conferences. This phenomenon got its name from several unwanted intrusions into Zoom videoconferences in 2020. It can be a simple troll, but sometimes the intrusion goes further.

Even the most strategic meetings are affected by this phenomenon: Dutch journalist Danier Verlaan managed to infiltrate the confidential video conference of the European Union’s defence ministers. These intrusions are an open door to industrial espionage.

The FBI has also conducted several investigations into hackers who infiltrated online meetings, threatening participants with racist, homophobic or anti-Semitic messages.

 

A rise in deepfakes in cyber attacks

In addition to zoombombing, one method of intruding into online meetings is becoming increasingly popular. This is the deepfake, a process that makes it possible to take on the appearance of another person.

VMware, a cloud solutions provider, recently published a study on the subject. It surveyed 125 cybersecurity professionals and 2/3 of them said that the use of deepfakes in a cyber attack has increased by 13% compared to last year.

Hackers using deepfakes are increasingly targeting corporate video conferencing tools. This is the case for video conference job interviews in particular, and especially in the new technology sector. These cybercriminals use deepfake and try to get recruited in order to gather information about the company.

Important financial consequences

Espionage in video conferences, in any form, represents a real danger for the entire organisation.

If cybercriminals succeed, the consequences are often dramatic. As a result of data theft, companies are bound to experience a significant loss of turnover, as well as a considerable increase in costs, especially in terms of redesigning the security of their IS. The reputation of the organisation is also strongly impacted.

How to avoid these intrusions in a videoconference?

In order to limit the risks of intrusion, a videoconference must therefore meet certain security criteria, which are more or less important depending on the risks. For example, an online meeting of a co-management online meeting, where a lot of confidential information is shared, necessarily requires a maximum level of security.

 

Authenticating participants

In its video conferencing solution, Tixeo includes a login and password authentication (encrypted and non-reversible). This process is particularly suitable for sensitive online meetings. Indeed, only authenticated and invited users will have access. The organizer will have to validate their access and will be in full control of the participants to his videoconference.

 

Keeping control of the participants

The organiser must also keep full control over the participants in his online meeting, both before and during the videoconference. In the event of an intrusion, this enables a quick reaction and limits the impact.

In a Tixeo secure videoconference, invited participants have only minimal rights, including audio/video communication and viewing of shared documents. Only the organizer has all rights in the meeting and can :

  • partager des documents (écran, applications, fichiers…),
  • accorder des droits de partage à un autre participant,
  • ou encore lui retirer le droit de parole, voire le droit d’afficher sa caméra.

The organizer can remove people initially invited to a meeting at any time. Tixeo goes even further by offering the possibility to delegate the rights to organize and manage a meeting, right from the planning stage.

For example: Alice could organise an online meeting and give management rights to Bob. Bob can then remove Alice from the meeting. This feature is particularly interesting for people who want to delegate the setting up of a videoconference while having full control over it.

Video conferencing: is a European solution essential?

Video conferencing: is a European solution essential?

 People are increasingly vigilant about the use of their personal data. However, some european companies still rely on the global cloud and digital giants for their video conferencing tools. So why choose a European videoconference?

Permeable foreign regulations

In order to deploy video conferencing solutions on a massive scale, european companies have turned to tools with a strong reputation. In their haste, they were less attentive to the criteria of localisation and protection of their data.

Many companies have thus opted for videoconferencing solutions whose hosting and data processing are carried out outside Europe. Their data is then subject to foreign regulations, particularly American, such as the Cloud Act (Clarifying Lawful Overseas Use of Data Act).

What is the Cloud Act?

This series of extraterritorial data processing laws was introduced in the US by Donald Trump. They allow for the unrestricted use of personal data of American and foreign citizens. Indeed, these laws oblige publishers and operators located on American territory to provide data relating to electronic communications (by subpoena or warrant). This obligation applies to all data, whether stored on servers in the US or abroad.

Video conferencing vendors subject to foreign laws may therefore be required to provide their users’ encryption keys at the request of the authorities. Personal data is thus recovered for various purposes.

European video conferencing means GDPR compliance?

The Cloud Act is in total opposition to the European General Data Protection Regulation (GDPR). Much more demanding, the GDPR firmly regulates the use and processing of data, whether by the publisher itself or by third parties.

A European video conferencing solution hosts all its data on European territory. It is GDPR compliant and respectful of the company’s data.

Tixeo, the European leader in secure video conferencing, is 100% compliant with the GDPR and goes even further. Software design and development are exclusively done in France, in-house, and its proprietary technology is not subject to foreign legislation. Tixeo’s servers are hosted in France and Tixeo only chooses sovereign and European cloud hosts. The goal? To prevent any risk of dependency on extra-European powers and to guarantee maximum data protection.

To combat espionage in video conferencing

In the current tense geopolitical context, it is important for european companies to be able to benefit from sovereign video conferencing tools. The latter are not subject to external powers and the risks of data leakage are lower. Moreover, the increase in cyber attacks throughout the world can jeopardise certain organisations. This is another reason, if any were needed, to protect your video conferencing communications.

Already in 2021, Renaud Ghia (CEO of Tixeo) co-signed an article alerting to the need for greater digital sovereignty.

Spying on audio and video communications is common but can be avoided. In its European video conferencing solution, Tixeo integrates true end-to-end encryption of communications (video/audio/data). A technology that offers absolute confidentiality of communications and true independence to companies. No backdoor can be used to access communications.

Choosing a European video conferencing means opting for better data protection thanks to the GDPR. This protection will be reinforced if the video conferencing solution has a high level of security.