Information security in video conferences

Lately, there has been some alarming news of the information security of the Zoom service in particular.
The Zoom consumer service currently in the news differs from the Funet Miitti service used at the university. A considerable share of the reported issues are either old, already fixed or related to Zoom’s cloud service which Funet Miitti only uses to verify access rights.

For more information on what to consider when organising video conferences, please read these instructions. THE INSTRUCTIONS APPLY TO ALL VIDEO CONFERENCE SOFTWARE, not only Zoom. When using any type of non-public information, no tool can be used freely and without consideration as all tools include preconditions and a requirement for caution.

Tabs

Detailed help

When not to use Zoom

Zoom is an acceptable tool for most university use. However, it is not suited for:

  1. Information under strict confidentiality, such as detailed information concerning national defence, national safety, preparation, contingency planning and business secrets.
  2. Sensitive personal data if the person can be identified (for more information on sensitive personal data, please see Flamma).

When to use Zoom

If there are no tools more suited for the purpose, Zoom can be used, with restrictions, for:

  1. Processing internal university matters.
  2. Processing (research and teaching) materials with limited access as long as the participants’ right to access the information has been verified (i.e. all the participants are known and have the right to participate in the video conference).
  3. Processing personal data if the processing of the personal data is allowed in the systems of the university’s service providers.

What to do when processing non-public information in a video conference

  • Prevent outsiders from accessing the meeting by means of a password and, if possible, the participants must be required to log in to Zoom (thus proving that all the participants are university staff or students or other users of Funet Miitti).
  • Video and audio call features can be used. Avoid sharing non-public information via the screen unless it is absolutely necessary.
  • Uploading files to the video communications service/downloading files from the service is not allowed.
  • Recording the conference is allowed if stored in a device under the university’s centralised administration and handled with care.
  • The chat feature in the service must not be used for purposes other than sharing public information.
  • Invitations to the conference must not be forwarded to third parties.
  • Share the conference materials through links outside the video communications service (e.g. Flamma workgroups, Riihi), not via e-mail.
  • If you want to add individuals who have not received an invitation to the conference, create a new conference and invite the desired individuals.
  • At the start of the conference, check the participants and keep an eye on the list of participants.
  • Lock the conference as soon as it starts.

Further information