Information security in video conferences
Lately, there has been some alarming news of the information security of the Zoom service in particular.
The Zoom consumer service currently in the news differs from the Funet Miitti service used at the university. A considerable share of the reported issues are either old, already fixed or related to Zoom’s cloud service which Funet Miitti only uses to verify access rights.
For more information on what to consider when organising video conferences, please read these instructions. THE INSTRUCTIONS APPLY TO ALL VIDEO CONFERENCE SOFTWARE, not only Zoom. When using any type of non-public information, no tool can be used freely and without consideration as all tools include preconditions and a requirement for caution.
Zoom is an acceptable tool for most university use. However, it is not suited for:
- Information under strict confidentiality, such as detailed information concerning national defence, national safety, preparation, contingency planning and business secrets.
- Sensitive personal data if the person can be identified (for more information on sensitive personal data, please see Flamma).
If there are no tools more suited for the purpose, Zoom can be used, with restrictions, for:
- Processing internal university matters.
- Processing (research and teaching) materials with limited access as long as the participants’ right to access the information has been verified (i.e. all the participants are known and have the right to participate in the video conference).
- Processing personal data if the processing of the personal data is allowed in the systems of the university’s service providers.
- Prevent outsiders from accessing the meeting by means of a password and, if possible, the participants must be required to log in to Zoom (thus proving that all the participants are university staff or students or other users of Funet Miitti).
- Video and audio call features can be used. Avoid sharing non-public information via the screen unless it is absolutely necessary.
- Uploading files to the video communications service/downloading files from the service is not allowed.
- Recording the conference is allowed if stored in a device under the university’s centralised administration and handled with care.
- The chat feature in the service must not be used for purposes other than sharing public information.
- Invitations to the conference must not be forwarded to third parties.
- Share the conference materials through links outside the video communications service (e.g. Flamma workgroups, Riihi), not via e-mail.
- If you want to add individuals who have not received an invitation to the conference, create a new conference and invite the desired individuals.
- At the start of the conference, check the participants and keep an eye on the list of participants.
- Lock the conference as soon as it starts.
If you need to share the link publicly, you should protect the meeting using at least one of the following methods:
- Password protection: The host of the meeting can create a password in the room settings by selecting Require meeting password and specifying a password. The password is embedded in the link when the default settings are used, so participants can join the meeting directly by just clicking the link. Nevertheless, password protection helps keep out troublemakers who try to penetrate open Zoom meetings by trying to guess Meeting IDs. The password embed setting can be changed if necessary so that all the participants need a password to join the meeting. You can change this setting here: www.helsinkifi/zoom > Sign in > Settings > Embed password in invite link for one-click join.
- Using the Waiting Room: When the Waiting Room is enabled, only the host or alternative host can access the meeting directly. The rest of the participants are directed to the Waiting Room, where they wait until the host lets them in. This also gives the hosts the opportunity to prepare for the meeting among themselves and, for example, prepare the presentation before allowing participants to join the meeting. The host can allow everyone waiting in the Waiting Room to join the meeting at once. To enable the Waiting Room, select Enable Waiting room in the meeting settings or click Security in the bottom bar during the meeting and select Enable waiting room.
- Restricting participation through registration or login: The host can determine whether participants join in directly, whether they must register (Registration in meeting settings) or whether the meeting is restricted to registered Zoom users only (this can be done by selecting Only authenticated users can join).
- Locking the meeting: The host can lock the meeting by using the Lock meeting function once everybody invited is present. After the meeting is locked, new participants may no longer join. To lock the meeting, use the bottom bar Security button and select Lock meeting.
Furthermore, hosts can restrict the use of participants’ microphones and screensharing as well as change their participant names using the Security during the meeting. During the meeting, the host can remove individual attendees by hovering the pointer over the attendee’s name, clicking more and then selecting remove.