Hot on the heels of Microsoft’s report card from the Dutch department of Justice and Security comes news of rival messaging platform Zoom receiving a nod via a renewed Data Protection Impact Assessment (DPIA).
The assessment was performed by the Privacy Company and was commissioned by SURF (the purchasing organisation for Netherlands’ universities.)
The first assessment kicked off in 2020 and by May 2021 [PDF] concluded that there were nine high and three low data protection risks for users of the video conferencing platform.
These risks included worries about where personal data was actually being processed and the retention of customer data.
The latest DPIA, however, has given the US videoconferencing giant the green light, albeit with some provisos. Risks remain, but according to the Privacy Company “universities and government organisations can mitigate these risks themselves.”
Zoom’s end to end encryption on all chats and meetings received a thumbs-up, as did a commitment from Zoom to process all personal data (such as account, diagnostic and support) exclusively in European data centres by the end of the year. A European helpdesk (due online by the middle of 2022) also met with the approval of researchers.
However, while “there remains a risk that US authorities order Zoom to provide access to the data it processes in Europe, without informing the customer”, it was reckoned that the probability of such a risk was low – occurring less than once every two years.
Zoom itself was pleased with the assessment, and said the DPIA “reflects the respect that Zoom has for European data protection policies and principles.” The events of the last two years have certainly demonstrated the need for virtual meetings and remote working. Zoom is unlikely to want to pass up on the revenue potential and so has tweaked things, leaving just those oustanding low privacy risks remaining.
Those risks include access to content data by US authorities, which is mitigated through means including end-to-end-encryption, “privacy friendly settings”, and establishing policies prohibiting the use of identifying data in room or topic names. The transfer of diagnostic and support data is also a worry, but mitigated by using pseudonymous names and a European mail provider.
Rival in the chat space, Microsoft, had its own run in with Dutch authorities in February’s DPIA in which a number of high risks were noted with mitigations including turning on end to end encryption and not exchanging anything sensitive on the platform in situations where E2EE was not an option. Risks were also noted for users of Google productivity suite and it has been made clear what the tech giants need to do in order to dodge the ire of the regulators.
In the case of Zoom, new privacy features, an EU support desk and a bit more transparency appear to have done the trick (although some elements, such as the processing of nearasdammit all personal data in the EU, might not happen until the end of 2022.) For its part, Microsoft has also pledged that EU data won’t leave the EU with its EU Data Boundary.
The latest DPIA also suggested some mitigations of the low risks, such as enabling end-to-end encryption for all calls, meetings and chats and warning users “that E2EE is technically not possible when using Zoom via the browser, and that the browser should therefore only be used for non-confidential sessions such as attending a class.”
It also suggested institutions make local recordings instead of cloud recordings, consider using single sign-ons with pseudonymous names, use a vanity URL “(such as universiteitX.zoom.us) to prevent IP addresses being transferred to Zoom when users log in”, and “do not use the American mail provider Twilio, which Zoom has built in by default to send invitations for webinars. Use your own European mail provider.”
The Privacy Company’s report concludes: “If Zoom and the Dutch universities and government organisations apply all agreed and recommended measures, there are no known high risks for the individual users of Zoom’s videoconferencing services.”
An update to the DPIA and DTIA is expected in 2023. ®
