Whilst very convenient and critical enablers of research at this time, all cloud-based online communication platforms carry inherent risks, and should only be used where the risk to participants is considered ‘low’ or ‘moderate’ should data inadvertently be disclosed. Consenting processes should make the potential risks to participants clear, and offer alternative methods for data collection should participants so wish.
There have been a number of articles in the last few days about the ‘Zoom’ video-conferencing platform and perceived privacy / security issues, and this has led to questions about its suitability for use. Current circumstances have introduced drastic changes to the way that we live and work, and many of these changes have been implemented very quickly. One result of the vast majority of the country suddenly transitioning to remote working is that platforms which facilitate this, such as Zoom, have seen sudden uptake in their services, and have suddenly garnered much more attention than was present a few days ago.
In Zoom’s case, this has resulted in a level of scrutiny that has raised some questions which have captured the interest of the media. Certainly, some of the questions, and answers, that have been raised are troubling, but it would be a mistake to think that Zoom is the only platform to which many might apply. A quick scan of the media reveals similar questions that have been asked about many other platforms (including Facetime, WhatsApp, Skype, MS Teams, Jitsi to name a few about which we have been asked in the last few days), and many of the answers are equally troubling.
The reality is that it is difficult to guarantee the security of any online communication platform, and looking for phrases like ‘encryption’ in terms of service can be misleading because many services offer partial, but not complete encryption of traffic, and the way that this is described can be very confusing (or misleading). Language around the storing of logs of communications can also be very confusing. Researchers should also be aware that most platforms will allow any participant to capture or record the contents of a communication in real time, which potentially introduces a further risk. This is of particular concern for focus groups conducted via a video-conferencing platform as a participant could record the information being provided by other participants.
In an effort to provide some clarity for the research community, the McMaster Research Ethics Board, IT Security and the Office of the VP Research offer the following guidance (which will be updated as more information becomes available):
At the time of writing, McMaster University has institutional subscriptions for MS Teams, Zoom and Webex. Some faculties have subscriptions with other providers such as Vidyo. Institutional subscriptions offer certain protections to members of the McMaster community that are not present with services for which there is no institutional subscription. Therefore at this time, we recommend the use of MS Teams, Zoom and Webex for research activities which involve remote video communications.
Each service offers some advantages and disadvantages, and ultimately the choice largely comes down to preference. It is important to note that none of these platforms (nor any other online meeting platform) should be considered ‘fully secure’. Their use would be considered appropriate for low and medium risk studies, where the risk to participants should the contents of interviews be released is considered ‘low’ or ‘moderate’. However, the use of any video-conferencing platform for any data collection where the risk to participants should the contents of any interviews be released is considered ‘high’ is not appropriate. Such data should be collected via face-to-face interviews or by an encrypted voice calling or messaging service such as ‘Signal’ which has clear policies about the storing of logs of communication metadata.
The consent form should specify what is being recorded (audio only or both audio and video). Unless seeing the participant(s) via video is essential to the data collection methodology, the participant(s) should be given the option to participate in the meetings by audio only. When making recordings, it is important that they are saved to a local computer rather than to the cloud-based service wherever possible. Where recordings must be saved to a cloud, they should be downloaded to local storage and deleted from the cloud immediately.
Any meeting details should not be publicly posted, and should limit access to authorized participants, perhaps through the use of a meeting password or by requiring authenticated access.
For more information about the Zoom platform, please see here:
- Office of the AVP & CTO- Zoom video conferencing: Best practices for privacy and security
- Using Zoom for Research Involving Human Participants
For more information about Microsoft Teams, please see here:
For more information about Webex, please see here:
If you are applying to MREB and have questions about using online communication platforms for human participant research, or would like further guidance on the MREB review process, please contact Karen Henderson (email@example.com).
If you are applying to the HiREB, you may contact the eREBhelpdesk@hhsc.ca or firstname.lastname@example.org.