Security on Zoom

Yes, DeiC's version is different.

On social media, many have taken up this topic, worrying about the conditions that apply to end users of Zoom who use the free version or buy licenses online for the regular cloud version of Zoom. However, these are not the conditions that apply to the use of Zoom at DeiC.

DeiC's Zoom service is the result of a pan-European tender (2016/S 236-430854) made via GÉANT, the common organization for all research networks in Europe. The agreement with Zoom was renewed in 2021 as a supply agreement under the original framework agreement.

On this basis, the Nordic network collaboration NORDUnet has entered into a supply agreement with Zoom, which is not based on a US text, but on the text drafted jointly by the countries in GÉANT. It contains all the data protection conditions that one would normally expect from a European agreement.

Users of Zoom via DeiC thus do not use the same infrastructure as individual Zoom users, but a server park operated by NORDUnet in collaboration with the research network organizations in Norway, Sweden and Finland at a number of locations in the Greater Copenhagen area, and DeiC then has an agreement with NORDUnet to provide this service.

These agreements are followed up by data processing agreements throughout the supply chain: Educational institutions - DeiC - NORDUnet - Zoom.

• Audio and video in the meetings
• Content of chat, white board and file sharing inside the meetings
• On-premise cloud recording

In addition, a number of 'metadata' that is collected and passed on to Zoom as data processor.

• Name
• E-mail
• Organization
• Group affiliation
• IP address and meeting times

Metadata about the meeting (name, email, username, institution name, any group affiliation as submitted via WAYF, IP addresses, client types and times) is collected by Zoom (as an independent data controller) for statistical purposes and to check that DeiC complies with the license agreement. The agreements state that Zoom may not use this data for other purposes - including not sharing it with any parties outside Zoom.

This is regulated in Zoom's privacy policy. As a user, you will be asked to accept this policy when you install the Zoom client. It does not conflict with the agreements that otherwise govern the Zoom service at DeiC.

You should be aware that if you use one of the many integrations that Zoom has with Google or Skype, for example, Zoom will pass on some data, but this is controlled by you as a user. If you are sitting in a Zoom meeting room and ask Zoom to call out to a Skype user (you can actually do that), Zoom will transfer your name to Skype so that the person receiving the Skype call can see who it is from.

No, part of Zoom is also the so-called IM client, which is opened by tapping Chat in the app before opening the video meeting client itself. It is not widely used and should not be confused with the Chat found inside the video meeting client itself, but in addition to sending text messages, you can also upload files for sharing.

Data exchanged via the IM client is not covered by the data processing agreement but only by Zoom's privacy policy, and we therefore cannot recommend that it be used for sensitive information. We recommend all institutions' Zoom administrators to disable this option.

The meetings covered by DeiC's Zoom service are those where the meeting leader comes from one of the DeiC-connected institutions and is logged in via their institution in the usual way (via WAYF or the institution's SSO solution).

If you have not logged in or logged in in other ways, you are not using DeiC's Zoom service.

If you have only received an invitation to a meeting via a link or meeting ID, you do not need to log in. In that case, in the video meeting client, you can click the small (i) located in the top left corner and see the meeting URL.

Participants in a video meeting naturally have access to audio and video during the meeting. The meeting host can give each participant - including themselves - the option to record the meeting on their own PC. However, the option to record "to the cloud", which is available in Zoom, can be purchased and will then also be covered by the data processing agreement. The traffic itself is encrypted and is not stored on any servers anywhere - neither at DeiC, NORDUnet or Zoom.

Berlingske Tidende has had an article about Zoom administrators being able to access audio and video, but this is not relevant in relation to DeiC's Zoom service, because we do not allow recordings anywhere other than on the participants' own PC.

By default, knowing a meeting ID is sufficient to join the meeting. This meeting ID is typically a 7 or 8 digit number, but can also be another string of characters defined by the meeting host. During the meeting, all participants can see who is participating by opening the "Participants" window.

This is simple and convenient, but if you don't want the meeting to be open, there are several options to make it more closed, especially by using the options to set a password and for meeting participants to be let in by the meeting host. Zoom has also published a longer guide to this, which can be found on their own blog.

'Zoom-bombing' is the popular term for hackers guessing meeting IDs and trying to get into meetings. But it's quite simple for the meeting host to prevent.

Yes - traffic from your web browser and Zoom client is always encrypted (with TLS 1.2 or AES-256). See the details in Zoom's Encryption Whitepaper (PDF).

While some security specialists recommend even stronger encryption, some commentators have argued that there is almost no encryption at all when using Zoom, but there is no evidence to support this conclusion.

However, you should be aware that if you call into a Zoom meeting from an old-fashioned analog phone, the traffic is inherently not encrypted before it reaches the infrastructure belonging to the Zoom service.

In the same way, if you connect to a Zoom meeting with other third-party solutions, it is not the Zoom service that handles any encryption for Skype calls, ZIP phones, GSM phones or H.323 A meeting host can configure whether to allow such connections into the meeting, and it is possible to only accept H.323 endpoints that connect encrypted to the meeting.

A meeting participant can ask the host or open the participant list themselves, where you can see which type of connection they have next to each participant.

Since the end of 2020, Zoom has had the option of end-to-end encryption so that no one other than the meeting participants have the encryption key to the traffic. However, this requires using the client and prevents a number of things:

• You cannot enter the meeting before the host.
• Cloud recording
• Live streaming
• Integrations and apps
• Breakout sessions
• Participation via browser client, phone H.323, SIP, Skype etc.
• Maximum 200 participants

Since the end of 2020, Zoom has had the option of end-to-end encryption so that no one other than the meeting participants have the encryption key to the traffic. However, this requires using the client and prevents a number of things:

• You cannot enter the meeting before the host.
• Cloud recording
• Live streaming
• Integrations and apps
• Breakout sessions
• Participation via browser client, phone H.323, SIP, Skype etc.
• Maximum 200 participants

No - meeting titles are part of the data stored on the dedicated server park operated by NORDUnet for this purpose at two locations in the Copenhagen area. Meeting invitations are sent from client to client.

No - when you use Zoom at DeiC, no credit card data is involved at all.

Many social media posts have made sense on this topic based on some terms that are no longer current. Data that Zoom comes into possession of (both as a data processor and as a data controller) may not be used for purposes other than those for which it was collected. It may not be shared with others and it may not be used for marketing by Zoom itself.

Any type of service that needs to be accessed via a URL can be subject to spoofing attempts - creating a URL where the domain part is so close to the real one that the hackers hope we click on the link. Zoom is no exception. This is not something that can be blamed on the Zoom service as such, but is a general characteristic of links we receive in emails.

If you are nervous about whether you can remember to recognize zoom.us in an invitation URL every time, you can instead start the client yourself and then cut the meeting ID into it.

No - previously Zoom used a Facebook toolkit as part of their iOS clients, but a software update on 3/27/20 removed this. This was only relevant if you used your Facebook credentials to log into Zoom, which none of our users have ever done.

No - but there has been a reported bug - the so-called "UNC link issue" - which may/may not have enabled this for other conference attendees, but it has been fixed in a software update 1/4-20.

In March 2020, a vulnerability was reported that allows a local user on a macOS machine to become root. Most users of their own machines can become root in other ways anyway, so it may not be that alarming, but it is of course a bug. It has been fixed with a software update 1/4-20.

Zoom has a feature called "attention tracking", which by default has been disabled in DeiC's Zoom service. This feature gives the meeting host an indicator of whether participants have the Zoom window active during screen sharing. The meeting host cannot get any other information from the participants' PC. It has also been disabled in connection with the software update 1/4-20.

As the Zoom service at DeiC does not run in Zoom's regular cloud, but in a dedicated server infrastructure managed by NORDUnet, we will typically be a few days behind the latest updates from Zoom, so at the time of writing, attention tracking may still be available on some instances.

No, not usually. When you start a meeting and access an address such as deic.zoom.us, this address belongs to Zoom's infrastructure. Based on the meeting ID, the client is told back that the meeting belongs to the dedicated server infrastructure, and the rest of the traffic is then directed to this infrastructure. Zoom's infrastructure basically acts as a kind of switchboard before the meeting starts.

Addresses of the type deic.zoom.us are served by a CDN (Content Delivery Network), which is global and whose IP addresses are typically in the various geo-location databases such as the US, but which in the Danish case is usually in Frankfurt. As soon as the connection is established, traffic is directed to NORDNet's servers.

A longer analysis of this can be seen here.

If a meeting URL is accessed from elsewhere in the world, Zoom's CDN infrastructure can be encountered in locations other than Frankfurt before traffic is re-routed to NORDUNet's dedicated infrastructure. The same applies if the Frankfurt infrastructure is out of service.

No. There has been mention in some media that Zoom is moving from AWS to Oracle as a cloud provider, although it is not yet clear when this will happen and at what rate. However, this is not something that affects DeiC's Zoom service, as it is based on us (NORDUnet) running our own dedicated cloud infrastructure.

Some institutions use LTI Pro to integrate Zoom meetings with their LMS. This is not covered by the data processing agreement, but only the very basic metadata is exchanged via this integration: user ID and meeting room ID, as well as subject/title, start and end times.

This is data that Zoom collects anyway about all users in its capacity as an independent data controller, and therefore the use of the LTI Pro integration does not involve a further spread of data.

None of what happens inside the meeting (audio, video, chat, screen sharing etc) is exchanged via LTI Pro.

Yes - that's our assessment as it stands now.

Can we promise that there will be no more concerns about security in Zoom? Of course we can't, just as you can't say that about any other similar products and services. The important thing here is whether we are dealing with a supplier that has a reasonable security culture and a quick response to the problems you become aware of.

It is our impression that NORDUnet, which has direct contact with Zoom, experiences a good dialog and response, and you can see from a blog post from Zoom's CEO, that this is something they take seriously.