Latest information and updates about COVID-19 (coronavirus) from McMaster University
Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster Logo McMaster logo

Executive Summary

Whilst very convenient and critical enablers of research at this time, all cloud-based online communication platforms carry inherent risks, and should only be used where the risk to participants is considered ‘low’ or ‘moderate’ should data inadvertently be disclosed. Consenting processes should make the potential risks to participants clear, and offer alternative methods for data collection should participants so wish.

Detail

There have been a number of articles in the last few days about the ‘Zoom’ video-conferencing platform and perceived privacy / security issues, and this has led to questions about its suitability for use. Current circumstances have introduced drastic changes to the way that we live and work, and many of these changes have been implemented very quickly. One result of the vast majority of the country suddenly transitioning to remote working is that platforms which facilitate this, such as Zoom, have seen sudden uptake in their services, and have suddenly garnered much more attention than was present a few days ago.

In Zoom’s case, this has resulted in a level of scrutiny that has raised some questions which have captured the interest of the media. Certainly, some of the questions, and answers, that have been raised are troubling, but it would be a mistake to think that Zoom is the only platform to which many might apply. A quick scan of the media reveals similar questions that have been asked about many other platforms (including Facetime, WhatsApp, Skype, MS Teams, Jitsi to name a few about which we have been asked in the last few days), and many of the answers are equally troubling.

The reality is that it is difficult to guarantee the security of any online communication platform, and looking for phrases like ‘encryption’ in terms of service can be misleading because many services offer partial, but not complete encryption of traffic, and the way that this is described can be very confusing (or misleading). Language around the storing of logs of communications can also be very confusing. Researchers should also be aware that most platforms will allow any participant to capture or record the contents of a communication in real time, which potentially introduces a further risk. This is of particular concern for focus groups conducted via a video-conferencing platform as a participant could record the information being provided by other participants.

In an effort to provide some clarity for the research community, the McMaster Research Ethics Board, IT Security and the Office of the VP Research offer the following guidance (which will be updated as more information becomes available):

At the time of writing, McMaster University has institutional subscriptions for MS Teams, Zoom and Webex. Some faculties have subscriptions with other providers such as Vidyo. Institutional subscriptions offer certain protections to members of the McMaster community that are not present with services for which there is no institutional subscription. Therefore at this time, we recommend the use of MS Teams, Zoom and Webex for research activities which involve remote video communications.

Each service offers some advantages and disadvantages, and ultimately the choice largely comes down to preference. It is important to note that none of these platforms (nor any other online meeting platform) should be considered ‘fully secure’. Their use would be considered appropriate for low and medium risk studies, where the risk to participants should the contents of interviews be released is considered ‘low’ or ‘moderate’.  However, the use of any video-conferencing platform for any data collection where the risk to participants should the contents of any interviews be released is considered ‘high’ is not appropriate. Such data should be collected via face-to-face interviews or by an encrypted voice calling or messaging service such as ‘Signal’ which has clear policies about the storing of logs of communication metadata.

Consent forms should include language that makes it clear what platforms are being used, and also that no guarantee of privacy of data can be made, so the risks of participation are clear. Example language might be “This study will use the X platform to collect data, which is an externally hosted cloud-based service. A link to their privacy policy is available here (LINK). Please note that whilst this service is approved for collecting data in this study by the McMaster Research Ethics Board, there is a small risk with any platform such as this of data that is collected on external servers falling outside the control of the research team. If you are concerned about this, we would be happy to make alternative arrangements for you to participate, perhaps via telephone. Please talk to the researcher if you have any concerns.”  Note: Including the link to the privacy policy is not necessary when using one of the McMaster licensed videoconferencing platforms (Webex, MS Teams, or Zoom) for low risk research. Additionally, only include the sentence on alternative arrangements if they are possible in your study.  Consent forms should also include language that participants agree not to make any unauthorized recordings of the content of a meeting / data collection session, and in the case of focus groups remind participants that researchers cannot guarantee that all participants will refrain from recording the session.

The consent form should specify what is being recorded (audio only or both audio and video). Unless seeing the participant(s) via video is essential to the data collection methodology, the participant(s) should be given the option to participate in the meetings by audio only. When making recordings, it is important that they are saved to a local computer rather than to the cloud-based service wherever possible. Where recordings must be saved to a cloud, they should be downloaded to local storage and deleted from the cloud immediately.

Any meeting details should not be publicly posted, and should limit access to authorized participants, perhaps through the use of a meeting password or by requiring authenticated access.

For more information about the Zoom platform, please see here:

For more information about Microsoft Teams, please see here:

For more information about Webex, please see here:

If you are applying to MREB and have questions about using online communication platforms for human participant research, or would like further guidance on the MREB review process, please contact Karen Henderson (khender@mcmaster.ca).

If you are applying to the HiREB, you may contact the eREBhelpdesk@hhsc.ca or sancan@hhsc.ca.