Zoom security for colleagues signing on from outside EU

Thanks for the link Lisa, This is good, but still didn’t quite address the concerns of our colleagues signing on from outside EU. But I also received this very helpful reply from helpdesk… TIM: Please can you help with some information about Zoom security for people joining meetings from outside of EU. Please see the thread below for previous conversations with Bengt Hall who has now referred me to you. What I’m looking for is a clear answer whether I can guarantee to my colleagues in India, US and Africa that they will not be compromising their systems, data or devices if they join a Zoom call hosted by SU through NorduNet. Anxiety around Zoom security is disrupting our meeting schedules. I understand that Zoom through NordUnet uses data servers in EU and covered by GDPR but I can’t find a definitive reassuring statement for participants from outside EU joining those calls. HELPDESK: Stockholm University use the Zoom service from the supplier Sunet. Sunet uses NORDUnet as the technical supplier of the service. For Stockholm University, Zoom is not part of "public Zoom". NORDUnet's Zoom service complies with GDPR and other European data legislation and all data is stored and processed within the EU. NORDUnet has its own license for Zoom and has the installation on-prem (On Premise) on its own servers. It is thus a private instance, a private cloud, of Zoom for Sunets / NORDUnet's customers. All meeting data stops completely in NORDUnet's installation. A certain amount of personal data is shared with Zoom / EU (Frankfurt). Personal data is not shared with Zoom / US. Zoom on SU uses SWAMID for login, ie federated login. This means that no password is stored in the Zoom service. • All data from meetings is stored in Stockholm / Copenhagen (video, voice, chats, shared pictures, etc.) • Metadata around meetings is stored in Frankfurt (username, SSO attributes such as employee, student, IP address, network quality, geo-information). • Licensing organization, ie Stockholm University, as well as the licensing type and number of licenses are stored at Zoom in the USA. Tim: Can i please ask a 3 follow up questions: 1. Do my colleagues in India have to install the public version of Zoom in their device in order to join meetings hosted in Stockholm? 2. Are there any known risks from installation of zoom app or software on the security of your device, or passwords etc held in that device. 3. Thank you for the advice not to share strictly confidential information due to the lack of encryption. Would other services such as Skype, Whatsapp, Adobe Connect provide that? 2020-04-22 10:12:32 av Engström, Fredrik Hi Tim, 1. If they have received an invitation, they can join as guests and do not have to install or use an actual account. However, for the best experience a signed in client is preferred. 2. There are no known risks from the Zoom application (there was, on Mac, a year ago). In our case at Stockholm University we use or own identity provider to log in. If you use the global service of Zoom, you log in as you would any other service and that in itself is not less secure than logging in to gmail, Office365 or any other cloud service. 3. To clarify, Zoom traffic between user and server IS encrypted, but the meeting on the server is not encrypted. The exception being traffic from an analog phone, as previously mentioned. In our case, that means meetings is hosted on our servers provided by nordunet. This is the reason why Zoom can uphold high video and audio quality with a large number of participants. And it is no different from other services in that regard. Other services might, however, offer peer 2 peer encryption, but that only works when there are no more than two participants. So Zoom is basically as secure or unsecure as the competition. With the exception that we have a nordic/swedish infrastructure that supports it. Other universities in Sweden treats meetings in Zoom as a phone call, as in if the information is ok to handle on a phone, it is ok in Zoom as well. I hope this clarifies. regards Fredrik