Heiko, what is your position here at innovaphone?
I joined the innovaphone team in 2007. I belong to the Partner Management Team Germany and am responsible for the area of northern Germany. For many years, I was also busy in the Berlin area where I established many contacts to authorities and organizations involved in security tasks.
Why is data protection a topic of such importance to you?
Let me try to put it nicely. The incidents of “friends spying on friends” showed us that we were quite candid with the use of our data, generally thinking that everything would be safe. I asked myself: What would one do with such information. Let us take a look at tech firms, for example: They earn a ton of money with knowing what we are doing now and in the future. If I draw parallels to the conversations I have on a daily basis, I can only imagine how much personal information ends up in data storage somewhere. I cannot know for sure. The only option I am left with is to pay good attention with whom I communicate about what via which platform. It is a good feeling to know that not everything I put out there is available and saved to the very last detail somewhere on this planet.
Invited to a web meeting, you click on the link, check your headset and camera, check your video image – is the hair under control - and let’s get going. Isn’t it crazy how the pandemic is responsible for us getting used to so many consecutive web conferences? What did we do before? We hardly remember or we do not want to remember. But am I missing something? What was it? Ah, yes, I am starting to remember: We communicated via telephone. And via e-mail. How often did we talk about video telephony, whether one on one calls or three-party calls? Video sessions with even more participants and with speaker-based video. Here, you would only see the one that shouted the loudest within the group. This behavior seemed okay up until the pandemic hit. Ever since, it is no longer okay. However, with innovaphone conferencing, this is no longer the case anyways. A multi video platform within the innovaphone PBX, installed locally or from the cloud. Pretty neat.
I then often get to hear “yes but…”, “due to the pandemic, we implemented something quickly…”. Sometimes it is best if I don’t find out what adventures the IT department underwent just because state-of-the art technologies were assumed. “The employees will eventually get used to it” is also a frequently used sentence these days.
What if decision makers have an infatuation with very specific telephony features? If you cannot provide this feature as a manufacturer, you will get to hear, “sorry but without, we will have to take our business elsewhere”. What now? Audio connection is extremely poor or the connection fails altogether. One number concept? Nope – more and more GSM numbers keep popping up on my display when I receive a call on my desk phone or softphone. If I ask cautiously why someone is contacting me via the own mobile phone, I get the response: “you know, we are supposed to use this special feature. I tried but I couldn’t get it to work, so I figured I’d give you a super quick call via the mobile.” Let’s leave it at that for a moment…
If I think about the back and forth with customers concerning presence information. Everybody should be able to see everything and nothing. “By no means should the user be able to view the calendar entry of Mrs. Doe”. Once more, I keep thinking that it is a good thing we have such defined privacy settings at innovaphone. By the way: Do you remember our blog post on presence information by my colleague Johannes?
So, what happens if I participate in a web conference? Who can see my name, my company information? What details do I give away in order to participate in a virtual conference? What happens at such a conference? Is it recorded? Everybody will reply: “Nooo, it’s all in compliance with data protection.” Or – even better: “Otherwise we would not be using this technology at all.”
Have you ever heard about the “privacy shield”? You could say this is the American approach to data protection laws. US organizations wanting to participate can do so with a self-certification process, stating that they will adhere to specified data protection regulations1. This is just the essence and it says it all. From the standpoint of European data protection, this does not regulate what is intended with the GDPR. Now, there is a ruling by the Court of Justice of the European Union (CJEU), called “Schrems II”, “making transfers of personal data on the basis of the Privacy Shield Decision illegal. Data controllers or processors that intend to transfer data […] must ensure that the data subject is granted a level of protection essentially equivalent to that guaranteed by the General Data Protection Regulation (GDPR).”2
This is topped off with the “CLOUD Act”. The acronym stands for “Clarifying Lawful Overseas Use of Data Act.” Enter the USA once more: §2713 of the CLOUD Act states that IT companies and communication service providers are required to grant US authorities access to stored data and records even if this information is not stored within the USA.3
Laws should ensure that my data remain secure while they can be used by other institutions, for example when required to fight crime and to prosecute criminal offences, also on an international level.
However, when I join a web conference and the service is provided by an American business, my data may not be secure after all. I assume - and I am quite serious about this – that the video session is not only recorded but that the spoken words are also transcribed into written text. Speech recognition systems4 are already highly advanced technologies and can be activated like a normal service. If we now recall the CLOUD Act, we now imagine US authorities requiring access to this information. Will they receive the video session or “merely” the transcription? What happens if there was an information leak? Who will gain access to all the data?
Well, to be honest, what big secrets do I have after all? We do use web sessions to talk about projects, conditions, hardware models and prototypes, upcoming software versions with all-new features. Blueprints are shared, there are discussions on contracts and confidential material. Sometimes we just engage in some small talk on our next holidays and wish each other a nice weekend. These are not relevant to the business – or are they?
So, how can privacy advocates come to terms? Simple. If you are not already doing so, you should start thinking about and engaging with systems which protect your data. The user surely should not get used to anything that may eventually pose a threat to the business. Businesses profit from tools and applications that are fun AND secure for the user.
I very much look forward to our V13r3 multi video platform and more so, we look forward to present it to you – all in compliance with data protection regulations.