Privacy and Security Information

Kiel University concluded the contract for order processing

In the context of concluding the contract with zoom there is a separate agreement with the provider for order processing according to GDPR. This agreement contains the so called EU Standard Contractual Clause and together with the privacy shield certificate from zoom the required level of data protection is established. This agreement has also been verified in the procurement by the data protection officer.

What data is transmitted during login to zoom?

During login using the identity provider in zoom following data is transmitted: a service-specific persistent personal ID, surname, first name, display name, official e-mail adress belonging to the account, as well as an attribute called PersonEntitlement for specification of rights within zoom.

Before logging in the transmitted personal data can be displayed to approve the transmission.

Anzeige übertragener Daten bei Login über IDP

If the account is created directly at zoom the provider also saves the passwort as salted-Hash.

All personal data obtained during creation of the account can be seen on the personal profile page.

What categories of data are being processed by zoom?

A detailed list of categories that are collected and processed by zoom as well as the specific purpose can be found at https://zoom.us/privacy.

Further privacy and security information within the product

There were and still are in fact some serious and professionally grounded warnings of using the services of zoom due to security gaps, due to open standard configurations or legally questionable privacy practices. In addition there is the basic problem that it is an american provider, that is not bound to the regulations of the GDPR. These observations and aspects were discussed during procurement.

The provider himself reacted to the accusations brought forward. Therefore the privacy policy has ben revised and can be found under   https://zoom.us/privacy.

In an official reaction to an accusation on the blog of zoom in the beginning of april 2020 (https://blog.zoom.us/wordpress/) which can be found at  https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/ zoom explained that they have closed security gaps (e.g. UNC link problem in chat), that they removed critical features completely (e.g the attendee attention tracking) as well as aggravated the default settings. They also give advice on how to adjust the settings and configure the meetings to avoid disturbances and to not commit privacy violations.

Configuration set by entity at Kiel University

In contrast to single account users a corporate client as Kiel University has more possibilities to change default configurations for users belonging to the own corporation and make the system more privacy friendly and operate on the basis of a secure default setting.

The existing diverse information were considered within the configuration of the system. Documentations of other universities working with zoom were also part of the configuration. An attempt has been made to configurate the system to deactivate the critical settings, of which in diverse recommendations has been warned. 

  • Recordings in the cloud at events are disabled. These settings are locked.
  • Local recordings are disabled. These settings are locked.
  • Integration apps to Google Calender, Google Drive, Dropbox, Box and MS Onedrive are disabled in the area of configuration of integration.
  • Access to corporate contacts are disabled in the chat settings.
  • Participants and moderators start in a meeting without video and the participants are muted at the beginning.
  • With a new meeting everytime a new password is created additionaly to the meeting id. This applies also to a meet now meeting. The embedding of the password in the meeting link is still enabled.
  • Participants via phone also have to enter the password.
  • Direct feedback to zoom in disabled.

  • Remote control is disabled.

  • Remote camera control ist disabled.

  • Desktop sharing for users is disabled by default, only chosen applications can be shared.

  • Virtual Background is allowed to have the possibility for privacy reason to blend out the background in a private home office surrounding.

  • With just two participants an attempt is being made to establish a peer-to-peer connection.

  • Usage of zoom is allowed in browser to be able to listen to the meeting without the constraint to install the client.

  • Direct chat decryption is enabled.

  • Blur snapshot on iOS task switcher is enabled.

  • Using of content delivery network is disabled.

  • Access to corporate data by users of Office365 is disabled.

 

At some points the event organizer has the possibility to change settings in his own scope to enable a better interaction with the audience. In other parts the settings are blocked intentionally.

Please contact  videoconf@rz.uni-kiel.de if any questions arise so we can discuss your requirement.