Security of remote and hybrid meetings and video conferencing applications

For most university use, video conferencing is a viable solution. However, it is not suitable for:

• Secret information, such as detailed information related to national defence, national security, preparedness and contingency, and trade secrets.
• Sensitive personal data where the individual is identifiable (for more information on sensitive personal data, see Flamma)

With some restrictions, video conferencing may be used if no other suitable medium is available:

• For processing internal university matters.
• For processing access‑restricted (research and teaching) materials, provided that participants’ right to access the information has been verified (i.e., all participants are known and confirmed to have the right to join the video meeting).
• For processing personal data, provided that the processing of such data is permitted within the systems of the university’s service providers.
• Zoom or Teams is not designed for (sensitive) research interviews, but there are no other tools available at the university for conducting interviews remotely apart from the telephone.
  • However, with certain measures (see checklist below), the risks of using Teams and Zoom can be managed.

Be careful when sending your invitation to a remote meeting

• Make sure that the invitation goes to the right people.
• Make sure that the invitation information is not freely visible to everyone in your calendar.
• Always create a new appointment for each meeting or interview. Do not use a recurring event (except for meetings with the same list of participants) or your personal Zoom room.
• In the case of a survey interview, send the invitation link to the participants only 24 h before the interview.

Use security features

• In Zoom, you should use all three (3) methods to secure your remote meeting: password (passcode), Waiting Room, and login requirement.
• In Teams, a remote meeting can be protected by implementing security features:
  • waiting room and choosing that only organisers can attend meetings directly and accept other participants
  • forcing unconfirmed participants to confirm their information
• Check the participants at the beginning of the meeting and follow the participant list.
  • Close the meeting when all necessary participants have joined.

Be careful when recording the meeting

• Save the meeting using the service's own cloud recording service or save meetings with sensitive information directly to your own computer (read instructions to ensure successful Zoom meeting storage).

Be careful with your meeting materials

• Sensitive meeting materials should be shared by linking from outside the video messaging service (e.g. Flamma working groups, Riihi).
  • Do not upload files to or from the video messaging service.
• The sharing of non-public information through the screen must be avoided if it does not prevent the meeting from being carried through.
• The chat functionality of the service should not be used for non-public information.

We do not recommend that AI bots be used or approved in Zoom and Teams meetings. AI bots are usually third party services, and we cannot determine which data the services store, where the data are stored or where the data are subsequently used.

The meeting organiser has a responsibility to take care of the participants in their meeting. The organizer can therefore ban AI bots from attending and remove bots from their meetings.

• In Zoom, you can remove a participant by clicking on the three dots after the name and selecting Remove.
• In Teams, you can remove a participant by clicking on the three dots after the name and selecting Remove from meeting.

If another person's AI bot sends you notes or recordings of a meeting, do not click on the links in the message. However, if you do visit to check, for example, what notes the bot took, do not give the bot access to your own data, such as your calendar or email.

If you accidentally activate an AI bot that logs into your meetings, takes notes and makes recordings you don't want, in most cases you can disable it by logging into the service and deleting your account.

Read also about the general principles of using AI in Flamma.
 

To protect your meetings, Zoom has three different security features, one of which must be selected when creating the meeting.

A Passcode is the default, but you can also choose between a Waiting Room or Authentication, the mandatory login to Zoom. You can select all security features if you wish.

You can also consider locking the meeting during the meeting, so that no new participants can join the meeting.

Even in larger team or workgroup meetings, it is a good idea to select mandatory login in addition to the password, so that meeting participants can be identified.

Read more about security measures in the Zoom instructions.

If your Teams meeting includes participants from outside the University of Helsinki, consider protection. There are different types of external users in Teams:

• anonymous access means that unauthenticated users can join the meeting, for example via a browser, and authenticated users from any organization can join the meeting.
• external access means that the meeting can specify which users and organizations can join the meeting.

Other tips

• In Teams you can also choose who can join the meeting directly and who must wait in the lobby.
• The settings can also be configured so that anonymous users cannot start a meeting; instead, the meeting must be started by someone from the University of Helsinki.

• Read more about Flamma's collaboration and participation tools.
• Read more about Flamma's sensitive personal data.
• Read also about the general principles of using AI in Flama.
• Funet Mit (Zoom) FAQ (eDuuni Guidelines)
• NORDUnet Zoom: GDPR and Privacy Facts (Nordu.net)
• Security and Microsoft Teams (Microsoft)
• Zoom Privacy Policy