Zoom at LU and Security
N.B. Security Issues When Connecting via Web Browser and Telephone
We have new information that data for meeting attendees joining via web browser may be routed via countries outside the EU. This is not in line with GDPR regulations. While this is being investigated further, we recommend all users to download the Zoom client to their computers and use the client at all times.
Furthermore, if you join a meeting using any of the available phone numbers, data may also be routed via countries outside the EU. Hence, we do not recommend joining a meeting by dialling in to it.
LU Zoom Is Not the Same as Free Zoom
As an employee or a student at Lund University you have access to LU Zoom. When you log in to LU Zoom at https://lu-se.zoom.us Links to an external site. you end up at European servers, which means that user data and video content stay within the EU. How user data is processed is regulated with a data protection agreement (DPA or in Swedish PUBA1) between NORDUnet2 and Zoom, and there is a chain of DPA from NORDUnet via SUNET to Lund University. This is completely different compared to using a free version of Zoom, where both user data and video content end up at American servers.
You should always use https://lu-se.zoom.us Links to an external site. for your Zoom meetings! Read more about how to log in to LU Zoom.
Data Mangement and Data Storage
Colleges and universities in the Nordic countries that use Zoom have this service operated by NORDUnet.
Zoom operated by NORDUnet is GDPR compliant and in accordance with other European privacy directives. This is secured through the individual contracts entered into and the chain of Data Processing and sub-processing agreements.
Data from users of NORDUnet's Zoom service is not stored with Zoom in the United States. The account data is stored in Zoom datacentres in Europe.
We use dedicated servers installed in Copenhagen, Denmark, Stockholm, Sweden, Helsinki, Finland and Oslo, Norway, for all meetings and meeting data.
Personal information about users of NORDUnet's Zoom service is processed within the EU in accordance with the applicable data processing agreement. This applies to personal information necessary for using the service, such as first name, last name, email address
NORDUnet's Zoom service allows for local recording. If a meeting is recorded, participants in the meeting are automatically notified with a symbol in the video window and in the attendee list. The recording is automatically saved locally on the host's computer
Data Is Encrypted, but Do Not Discuss Sensitive Topics
The transmission of data from your computer to thocally on the host's computere server, and from the server to the computers of the other participants is encrypted, and cannot be eavesdropped on in transit. Within the server, a decryption takes place that theoretically allows server administrators to take part of the meeting content - how these server administrators interact with your meeting is one of the things that is included in the DPA. Because of this decryption, you should not use Zoom to discuss classified data or sensitive personal data!
If you need to discuss confidential or sensitive personal data, you can use end-to-end encryption to create a more protected meeting to prevent unauthorized persons from accessing the meeting content.
Keep the Zoom Client Updated
The Zoom client has a history of vulnerabilities, and it is therefore of the utmost importance that you keep the Zoom client updated. If you have a PC (PC.LU.SE) or a Mac (LUMAC) that is managed by Lund University, the updates will be handled via self service portals. Important security updates may be rolled out to your computer automatically, but minor updates you may have to download yourself. If you use an unmanaged or private computer, you have to ensure yourself that you are using the latest version, which you can find at https://zoom.us/download Links to an external site..
How to Ensure the Safety in Zoom Meetings
A meeting room in Zoom consists of a randomly generated code, and a code that the system has generated can also be generated by a "troll". The reports of so called "Zoombombing" are instances where someone has randomly generated a meeting ID, joined the meeting and created disruptions. There are several ways you can protect yourself from this kind of intrusions, and you can read more about how to secure your meeting on the following pages:
- Security Settings - An Overview
- Creating Safe Meeting Spaces for You and Your Students/Colleagues at LU
- Creating Secure Meeting Spaces with External Participants
- Organizing Meetings in Your Virtual Office
- End-to-end encryption, extra security for senstive meetings
- Information regarding DPA/PUBA at the LU Staff pages
- NORDUnet Links to an external site. is a collaboration between institutions of higher education in the Nordic countries, and provides procurements and services for these.
-
Is something missing? Do you have ideas or questions? Feel free to contact us on digital@education.lu.se