Data protection with Zoom video conferencing software

Data protection with Zoom conference

What do data protection experts have to consider with Zoom?

In the last two years, the use of video conferencing, especially with Zoom software, has increased dramatically. In offices and classrooms, it's difficult to provide an engaging remote experience while maintaining efficient communication with classmates and teammates.

Therefore, the use of services for video and online conferences, lessons, meetings or webinars, such as Zoom, is often desirable. However, when using such a tool, the privacy and data protection requirements of the GDPR must be adhered to, even in times of crisis. When selecting a suitable solution, a company or organization should carefully examine and weigh up the legal and technical circumstances and document the decision-making process.

Various types of data are processed when using Zoom. It is up to the user how much identifying information they provide. The name is generally required to start an online meeting or to enter the meeting room. When creating an account or adding further personal data, Zoom processes the following data:

  • User data:
    First name, last name, telephone (optional), e-mail address, password (if "Single Sign-On" is not used), profile picture (optional), department (optional)
  • Meeting metadata:
    Topic, description (optional), participant IP addresses, device/hardware information.
  • If recording (optional):
    MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, a text file of the online meeting chat.
  • When dialing in by telephone:
    o Information about the incoming and outgoing call number, country name, start and end time. If required, further connection data such as the IP address of the device can be saved.

In April 2020, the Federal Trade Commission (FTC) criticized Zoom for its vague definition of end-to-end encryption (E2E) and the hypocritical storage of cryptographic keys. Zoom later added its E2E settings to allow data to remain between two Zoom users. However, this setting is not enabled by default and must be manually enabled in Zoom's settings.

Another issue Zoom was experiencing was "Zoom bombings" which allowed anyone with a Zoom ID code to join a call. This prompted Zoom to add a waiting room feature that allows the administrator to let users join a call individually, as well as make a password-protected call, etc. Since the Zoom password could be hacked in less than 30 minutes, Zoom replaced the six-digit password with alphanumeric characters and administrator-created passwords.

Many other security issues were found: Selling data to Facebook from users who signed into the social platform via Zoom and to the software that downloads to iOS devices. as well as the ability to turn on participants' cameras and forcibly add users to a call. Chatboxes were also a problem, as hackers were able to manipulate them and create malicious GIF files, which have since been banned. Other file types that hackers sent to users via the chatbox included compressed files such as .zip files, Untitled.html, Untitled.Properties, Untitled.rtf, and Untitled.txt. The admin can still decide which types of files can be sent in the chatbox.

Video conferencing for companies does not necessarily have to be a security risk. In addition to the location of the servers and the service provider, the following aspects should also be considered when selecting the right software:

  • Is there a business version of the desired tool? These versions often offer even higher security standards. Is business use permitted?
  • Does the video conferencing system offer data protection-friendly process and setting options (Art. 25 (2) GDPR)
  • Does the transmission take place in encrypted form? How is the information encrypted (e.g. end-to-end)?
  • Is explicit consent required for the transmission or recording on the screen?
  • Are call histories and recordings deleted after the call has ended? If not, can this be changed?
  • Are participant behavior profiles created? If so, can this function be switched off?
  • For all tracking, monitoring, logging, screen sharing and recording functions, it is always advisable to check whether these functions are mandatory and/or can be switched off in the settings

Although Zoom has been criticized several times, the company is constantly working with security researchers to find vulnerabilities and has fixed most of the alarming security issues. Users should still be wary of phishing emails with Zoom invitations, which are sent with common subjects such as "Zoom invite" and ask customers to sign up. Zoom administrators and users are also advised to create password-protected meetings, use the waiting room feature and lock the session once all participants are present.

Nonetheless, it is always safest to seek advice from the data protection experts at 2BAdvice to ensure that the tools used by your employees comply with data protection standards.

Share this post :