Zoom

Privacy policy for Zoom at KIT

• Privacy policy for Zoom

  
  Within the scope of its possibilities, KIT endeavors to use data protection-compliant solutions for online teaching. Due to the currently unfeasible scaling of the existing services, it was necessary to resort to the cloud-based online setting. Lecturers and students are free to decide whether or not to use a cloud-based service, knowing what data protection concerns exist on the one hand and how temporally indefinite possible alternatives to using the cloud-based service will be on the other.KIT ensures that non-utilization of cloud-based services is not sanctioned (e.g., by ensuring that students are not charged for missed deadlines caused by non-utilization of cloud-based teaching services or examinations) and thus also follows current resolutions of the Conference of Ministers of Education and Cultural Affairs.
  
  KIT has taken extensive measures to raise the use of cloud-based services to a level acceptable under the circumstances of Corona. For example, the use of Zoom at KIT is governed by an order data processing contract that has been adapted in response to KIT's requirements. In particular, KIT has succeeded in structuring the passage on the possibility of passing on personal data in accordance with data protection. In addition, settings and recommendations for data-saving use and for minimizing risks from an IT security point of view have been worked out and implemented.For example, students can participate in the sessions without having to activate their microphone or webcam, and they do not have to give their real names. Students are provided with comprehensive information about data processing via a privacy statement.

• Criticism of Zoom
  
  The Zoom implementation has been configured by KIT for data-saving use in order to minimize risks. For example, log-in via Facebook, feedback options to Zoom, and user-related statistics are disabled. Zoom is used by KIT via EU data centers; other data centers, e.g. in the USA or China, are deactivated.
  
  Lecturers can only use the software on a voluntary basis after confirming that they have read and understood the privacy policy for the use of Zoom. In addition, KIT has made extensive settings that further increase the data protection level of the software compared to the default settings.
  
  The use of Zoom is currently being discussed and commented on in the press. Among other things, the data protection statement provided by Zoom itself has been criticized and there have been reports of wilful disruption or vulnerabilities in the software. However, the provider has responded to the comments and criticism in the short term, in particular by improving the software and settings.

  Comments from Zoom

  
  The provider has recognized the high importance of the topic of data protection and information security for European users:

   

  • In the current version of the privacy policy, the provider distinguishes between the use of the marketing pages and the use of the service. To this end, it has removed the Facebook SDK from the IOS app.

  • The provider is striving for improved transparency and the implementation of additional security features, in particular the security vulnerabilities in the Mac client and regarding UNC hyperlinks have been fixed: Zoom blog post: A Message to Our Users.

  • The meetings are transport encrypted: Zoom Blogpost: The Facts Around Zoom Encryption for Meetings/Webinars.

  • Other adjustments have been made so that, for example, users:inside are routed through data centers outside of China: Zoom Blogpost: Response to Research From University of Toronto's Citizen Lab.

  Encryption of meetings

  
  The University of Toronto's Citizen Lab wrote an article on meeting encryption, among other things, concluding that meetings are not suitable for particularly sensitive communications, but are suitable for typically public or semi-public events such as lectures or seminars.
  
  Security of access data
  
  heise Security reports that a research company discovered access data for hundreds of thousands of Zoom accounts for purchase on the Darknet. At least some of the login data is said to have been obtained through automated login data sampling.
  
  By using Shibboleth, we at KIT are on the safe side in case of a specific attack on Zoom, as no passwords are stored at Zoom via this channel at any time.
  
  Regarding private Zoom accounts, we would advise you to follow the press and use complex passwords and different passwords for different user accounts in accordance with our practical tips on IT security.

   

  Update Zoom client required (version 5.8.4)

   

  For Zoom clients up to and including version 5.8.3, a serious security vulnerability has been identified by the CERT-Bund(source). Therefore, after consultation with KIT-CERT, it was decided to require regularly updated versions of the Zoom client from now on. Your locally installed Zoom client will indicate an available update. Without this update, no meeting can be started with a KIT Zoom account. The update is also required to participate in meetings conducted via KIT Zoom accounts. An update does not require any administrator privileges and can be performed by them. Alternatively, the web interface can of course be used at any time, which essentially offers an identical range of functions.

• Data protection and information security for users

  
  We recommend that our users observe the following general aspects.

  • Always use an up-to-date operating system with installed security updates on your PC, laptop or smartphone.

  • Make sure that your virus protection is up-to-date and that you use official app stores.

  • Update applications / apps, esp. web browser and meeting client, regularly.

  • Watch out for fraudulent messages, esp. check links to login or download pages.

  • Use the possible settings for camera / microphone usage on your own system.

  • Do not pass on meeting links or meeting IDs uncontrolled, e.g. via screenshot.

  • Participant names or contributions in the meeting chat should be kept anonymous; meetings are a public space.

• Privacy-friendly settings for Zoom by KIT

  
  In addition, extensive settings have been made by KIT to further increase the privacy level of the software compared to the default settings. Locked settings cannot be changed by lecturers, deactivated or activated settings can be changed by lecturers if required. The use of data centers outside the EU is blocked.

  • Automatic start of the camera and release of the own audio are locked when joining a meeting, i.e. participants have to turn on both the own audio and the camera itself.

  • Automatic answering of calls is blocked, because Zoom is used at KIT for teaching purposes only.

  • Recording is only possible for instructors in the cloud. Screen shares as well as audio and images of speakers are included in these recordings. Chat history is not recorded. In each case, recording only occurs if the instructors themselves want it and actively start it. No participants are recorded in the scenarios described above, as they are muted during the recording. They are only made available afterwards via KIT's own systems. Recordings are automatically deleted in the Zoom Cloud after 30 days.

  • Attention tracking is disabled.

  • Machine counting of participants in Zoom Rooms is blocked.

  • Access to other contact data within KIT by Zoom is blocked.

• Other preferences for a Zoom meeting

   

  • General information about "Zoombing" or against taking over a Zoom meeting: Meetings were not prepared for publishing the links. If by default sharing of own screen was enabled for participant:s, it was easy for third parties to join the meeting via link and share arbitrary content (often of offensive or even illegal nature) via screen sharing and thus disrupt it. This is better secured by default settings, esp. a random password is created for each meeting room. Lecturers usually make this link available to a closed group of people via ILIAS. Lecturers should update the link regularly if necessary, e.g. by changing the meeting password, in order to limit the risk of distribution.

  • The waiting room for the meeting rooms is activated in the default settings.
    All participants must first be admitted to the room by the moderators. Unwanted or disruptive participants can be removed from the meeting room by the presenters and prevented from re-entering.

  • Screen sharing of participants is disabled by default.

  • Meeting without a password cannot be created. This is blocked.

  • File transfers in chat are blocked and not possible.

• Contract adjustments with consideration of the Schrems II ruling

  
  Contract adjustments taking into account the requirements resulting from the Schrems II ruling of the European Court of Justice could be achieved as part of the extension of KIT's Zoom licenses from the summer semester 2021: In connection with the use of cloud providers from the USA, there is the fundamental reservation of potential access by US authorities to personal data of user:s from the EU. Through an addition to the EU standard contractual clauses and further significant, contractual progress, the negative effects of the difficult compatibility of U.S. law and EU law have been contained.
  
  The contractual negotiations also created more transparency with regard to the processing of personal data, in particular through the guaranteed restriction of data processing to servers in the EU and agreement on a clearly defined group of sub-processors.
  
  In addition to the contractual design, KIT has also done everything possible to protect Zoom's user:s as well as possible through the careful configuration of Zoom and the well-coordinated deployment scenarios.
  
  Therefore, it is not to be expected that the use of Zoom will have a negative impact on the rights of users in the context of the use of KIT Zoom licenses.

   

Zoom access

• Guide to logging in via SSO in Zoom Client