Zoom: Background Information on Data Protection and Security

Due to the immense popularity that Zoom has gained through the Corona crisis, the service is currently highly focused by the public, also with regard to data protection. Due to the data processing contract between Münster University and Zoom and the data protection-friendly settings configured globally by CIT (Privacy by default), many of the problems discussed do not exist at Münster University. However, we would like to reflect the current discussion on Zoom, which we are following closely. It also shows that Zoom reacts relatively quickly to criticism and hints and corrects potential weaknesses. Numerous security improvements [de] have been incorporated in the current version 5. You can also find Zoom's current statements at https://blog.zoom.us/.

Zoom has the following certifications:

  • SOC2
  • TRUSTe
  • FedRAMP
  • GDPR (with Privacy Shield)

In a recent article, the Citizen Lab of the University of Toronto has addressed various issues including the much-discussed encryption topic (see below) and concludes that while Zoom is not suitable for particularly sensitive communications (e.g. trade secrets, patient information, investigative journalism) because of these issues, it is suitable for typically public or semi-public events such as lectures, seminars, social events or other non-critical communications.

Privacy Shield - CJEU Judgement

The Court of Justice of the European Union (CJEU) declared the Privacy Shield Agreement between the EU and the USA invalid on 16.07.2020. At the same time, the court declared the so-called standard contractual clauses (SCCs), which provide guarantees for adequate protection of personal data of EU citizens when transferring data to third countries, to be valid. According to the CJEU, the contractual clauses contain effective mechanisms to ensure compliance with the level of protection required by European data protection law. The judgement therefore doesn't change much in the data protection assessment of the use of video conference services such as Zoom, which (also) transfer personal data to the USA and process them there.

Münster University has concluded the so-called standard contract clauses with Zoom Inc. in addition to the contract for commissioned data processing. The national supervisory authorities must now examine whether the standard contractual clauses can be complied with by companies based in the USA. We are monitoring further developments and are waiting for a corresponding assessment.

Statement of the Rechtsinformationsstelle Digitale Hochschule NRW on the CJEU Judgement [de]

Disruption of Meetings ("Zoombombing")

There were several press reports about unwanted meeting participants who tried to disrupt video conferences by distributing unwanted content. Even though this was often described as "hacking", it was only the room ID that was guessed and it was also exploited because the meeting organizers had failed to set a password.

By default, Zoom X is configured to create a random password for each meeting room. In addition, by enabling the waiting room in the meeting settings, the moderator can specify that all participants must be manually admitted to the meeting. If all participants are present, the meeting can be blocked for further access. Otherwise, unwanted participants can be removed from the meeting room and prevented from re-entering.

To prevent files with malicious code from being sent via the integrated chat, file sending has been generally deactivated here.

Privacy Policy

As Zoom's Privacy Policy was criticised in some places as being misleading and too vague, especially with regard to data transfer to third parties and data mining, it was updated on 29.03.2020 to clarify some statements and to distinguish between the service and the Zoom website. For the service itself, Zoom does not use data mining and does not sell data to third parties. Different conditions may apply to the official Zoom website. Due to a contract for commissioned data processing with Zoom, a separate privacy policy applies to Zoom X.

Recording Function

We have configured Zoom for Münster University in such a way that only the moderator can start a recording and that the explicit consent of all participants is also obtained. The recording is stored in the Zoom Cloud for 7 days and can only be accessed by the moderator. Zoom X is configured in such a way that it is not possible to store recordings with other providers such as Youtube or Facebook.

End-to-End Encryption

Uncertainties about the actual strength and type of encryption of communication specified by Zoom led to irritation and criticism. However, almost all other video conferencing solutions including the service of DFN are not end-to-end encrypted for technical reasons. Since version 5.0, Zoom offers very strong AES-256-bit encryption in GCM mode and has even announced the introduction of full end-to-end encryption.

Known Security Problems

In the recent discussion about Zoom, the following potential or actual security vulnerabilities were discussed, but to our knowledge they have all been fixed by the developer:

Faulty geofencing
Sending data to Facebook when used with iOS app
Security vulnerabilities of Zoom client for Mac
Attention tracking
Chat messages with possibly malicious function links (UNC hyperlinks)

Other potential problems have been eliminated by CIT or do not apply to Zoom X:

  • Machine counting of participants in Zoom Rooms: The feature is switched off. So far there is only one zoom room for testing purposes.
  • Access to other contact data within Münster University by Zoom: In theory, zoom allows organisation-wide access to a directory of all users. This feature is deactivated for Zoom X.
  • Zoom passwords are traded in Darknet: The fact that large data sets with stolen passwords are offered in Darknet is a problem of almost all large Internet companies. However, this is mostly data that was not stolen from the companies themselves, but from the end users with the help of malware (partly because the same password was used for different services) and is then later offered by criminals as a bundle. Münster University users are not affected by this in any case, as they do not need a special Zoom password thanks to the connection to the University of Münster SSO (Single Sign On) and their university password is not passed on to Zoom.