Biometrics enable researchers to identify individuals from exposed video conference data
Israeli researchers from Ben Gurion University of the Negev warn that third-parties can easily infiltrate video conference meetings and can collect personal data from screenshots shared on social media.
BGU researchers took a closer look at Zoom, Microsoft Teams and Google Meet and found hackers can easily identify participants by analyzing images shared online, affecting their privacy.
“The findings in our paper indicate that it is relatively easy to collect thousands of publicly available images of video conference meetings and extract personal information about the participants, including their face images, age, gender, and full names,” said Dr. Michael Fire, BGU Department of Software and Information Systems Engineering (SISE) in a statement. “This type of extracted data can vastly and easily jeopardize people’s security and privacy, affecting adults as well as young children and the elderly.”
Amid the pandemic, the popular trend has been to post a collage of images from video meetings on social media networks such as Instagram and Twitter. Researchers found that image processing text recognition tools and social network analysis can be used to tap into over 15,700 images and over 142,000 face images.
The team used artificial intelligence-based image-processing algorithms to detect participants and the meetings they attended, along with facial recognition and image background analysis. Faces, gender and age were detected in 80 percent of cases. Almost two-thirds of usernames were found through free web-based text recognition libraries.
In total, 1,153 people were identified.
“This proves that the privacy and security of individuals and companies are at risk from data exposed on video conference meetings,” said the team, which includes BGU SISE researchers Dima Kagan and Dr. Galit Fuhrmann Alpert.
“Since organizations are relying on video conferencing to enable their employees to work from home and conduct meetings, they need to better educate and monitor a new set of security and privacy threats,” Fire said. “Parents and children of the elderly also need to be vigilant, as video conferencing is no different than other online activity.”
To prevent these situations in the future, researchers suggest not posting images online, choosing generic usernames and virtual backgrounds, while video conference companies should install privacy filters to prevent facial recognition.
UK citizens’ sensitive data already owned by 39 organizations
However, in the UK, this may be the least of people’s worries, since an average of 39 different businesses, charities, and public sector organizations already own citizens’ sensitive identity information, according to Nomidio’s State of Identity 2020 analysis. What is worse, nearly 25 percent are not aware of which companies or how many of them store their personal data.
While users are more dependent on digital services that by default collect and store personal information, the number of large-scale breaches has grown by 67 percent since 2014. The problem is the general public is usually informed months later when the damage has already been done.
“Why are we issued with a new digital Identity every time we register with a new service provider? This situation is completely back to front, it is you or I, the individual that should be able to present our identity to the different organizations we choose to interact with,” said Ben Todd, VP of Worldwide Sales at Nomidio, in a prepared statement. “Every time we allow a business to store our date of birth or mother’s maiden name, we’re expanding the attack surface and making it more likely our personal credentials will be lost forever. We need to centralize people’s identities, encrypt them and then give individuals the power to decide which organizations their data is shared with.”
Over 50 percent of residents reuse passwords for multiple accounts, which means whenever an account is compromised, there may be 38 more that could be easily hacked into. This is a major problem even for companies that have strong security strategies to prevent credential stuffing attacks.
The research confirms the need for a new approach to digital identity, as even GDPR has not had much success in changing the overall public mindset, and 77 percent of respondents are feeling more vulnerable knowing the number of organizations storing their data.
“Our own approach is significantly different to the norm. We believe in a ‘Unified Identity’; one that stores personal data on behalf of the individual and allows them to manage which companies get access to that data,” said Todd. “This neutral data Guardian is held to account by a cryptographically executed and provable consent mechanism, which is based on over a decade of cryptographic R&D work to secure the world’s internet from the threat posed by quantum computers.”
The same report found that the use of digital services has gone up 84 percent during the lockdown, a trend which may become permanent.