The IT department at Nordic House received concerns from several teams regarding the choice of video conferencing solution. There have also been a number of reports in various media outlets about Zoom’s poor level of security and sale of data to third parties.
It is important to understand that the Zoom solution used by Nordic co-operation is not the same as that used by private users. Although it cannot be said that Zoom has no data security issues, our solution is secure.
The IT department at Nordic House buys its Zoom service from NORDUnet, which is a co-operative body for the Nordic Region’s five national research and education networks and which is owned by the Nordic countries. NORDUnet provides world-class networks and e-infrastructure for the entire Nordic research and education sector, so it would be difficult for the Nordic Council of Ministers and the Nordic Council to find a more competent partner in this area.
In order to respond to concerns, we have gathered the most commonly asked questions here. In addition, the IT department can be contacted directly.
# Who has access to the audio and video?
All the participants in a meeting have access to audio and video. The host can allow individual participants to record the meeting on their own PC, but only there. Our solution does not allow cloud recordings. Traffic is encrypted and is not saved on any server anywhere.
# What about Zoom bombing and unauthorised participants?
By default, anyone participating in the meeting knows the meeting ID. This is typically a 7- or 8-digit number, but it may also contain other characters defined by the host.
All participants can see who the other participants are. Consequently, it is easy for the host to see if there are any participants who shouldn’t be there.
Zoom bombing is a term for hackers who guess the meeting ID and try to join. However, as mentioned, this is easy to detect.
For additional security, a password can be set and the host can lock each participant into the meeting. Zoom provides detailed instructions on how to do this here:
# Is traffic encrypted?
Yes, traffic from your browser and Zoom client is always encrypted (using TLS 1.2 or AES-256). Details are available in Zoom’s Encryption Whitepaper (link below).
There is therefore no evidence to suggest that Zoom has no encryption. It should be noted, however, that traffic is not encrypted when calling into a Zoom meeting from an old-fashioned analogue phone, as encryption takes place within Zoom’s infrastructure.
The same applies when connecting to a Zoom meeting using a third-party solution such as Skype, a ZIP phone, a GSM phone, or H.323 video conferencing equipment. In these cases, the third-party solution provides the encryption.
A meeting host can decide whether or not to allow these types of connections. It is possible to allow only H.323, which can be connected encrypted to a meeting. Furthermore, all participants can see what type of connection the other participants have.
# What are the actual terms and conditions?
The Nordic Council of Ministers has concluded an agreement with NORDUnet for Zoom. The agreement is supplemented with a data processing agreement and there are similar agreements throughout the supply chain.
The agreements address primarily the data processed by the supplier for users, i.e. configurations regarding administrators and meetings, as well as chats and files shared in the IM client and user data that is provided to Zoom when users log in.
The agreements stipulate that the data must not be shared with anyone outside of the supply chain and must not be used for any other purpose.
Zoom collects various data, such as usernames, IP addresses, OS versions, and times. Zoom does not share this data with anyone, nor is it used for marketing.
Zoom’s policy does not contravene the agreements concluded with NORDUnet and subsequently the Nordic Council of Ministers. Zoom’s policy was updated on 29 March 2020 precisely so that there would be no doubt as to the data being collected and what Zoom can use it for.
# Can Zoom see meeting titles and invitations?
No, meeting titles are part of the data that is stored on a dedicated server park in Copenhagen operated by NORDUnet for this purpose. Meeting invitations are sent from client to client.
# Does Zoom have access to payment card details?
No, the use of Zoom with NORDUnet does not require any payment card data.
# Is data used for marketing?
No, the data collected by Zoom (as a data processor and as a data controller) must not be used for purposes other than those for which it is collected. This data must not be shared with others and must not be used for marketing by Zoom.
# What about fake Zoom domains?
Any type of service that users connect to using a URL is vulnerable to spoofing, which is when hackers create a URL that is very similar to the genuine one. Hackers hope that you won’t notice and that you will click on the link. Zoom is not immune to spoofing. This is not something that anyone can protect Zoom from and is a general flaw of links that are sent by e-mail.
If you are worried about being unable to remember or recognise the URL invitation each time, you can start the client yourself and paste the meeting ID.
# Is data submitted to Facebook when logging in?
No. Although Zoom used to use a Facebook toolkit as part of its iOS clients, this was removed in connection with a software update on 27 March 2020. None of the Nordic Council of Ministers’ users has ever been able to log into Zoom using their Facebook credentials.
# Can Windows credentials be compromised?
No, although a “UNC link issue” has been reported, which may or may not have caused issues for other meeting participants. This was rectified by way of a software update on 1 April 2020.
# What is attention tracking?
Zoom has a feature for attention tracking. This is disabled by default in NORDUnet’s Zoom service. The feature indicates to hosts which participants have the Zoom window active while screen sharing. The host cannot obtain any other information from the participants’ computers. This was disabled in connection with a software update on 1 April 2020.
# Does Zoom have a good security culture?
Yes. As far as this is possible to assess, the Nordic Council of Ministers and NORDUnet have no doubts in this regard.
We cannot guarantee that there will not be situations that may give rise to concern in the future. As with all similar products and services, one must always be careful. It is important that we work with our suppliers that have a sound security culture and respond quickly to any issues that may arise.
If you have any further questions or require further information, please contact our IT manager, Kasper Hartø.