Zoom can abuse university data, IT union warns

37,500 bachelor’s and master’s degree students are now starting their semester at the University of Copenhagen. Due to the risk of coronavirus infection many students will have online teaching – often through the video conferencing service Zoom.

Students and professors cannot be certain that their video recordings and personal data are in safe hands, however.

This is according to the Danish trade union for IT professionals PROSA. They say that Zoom’s subsidiary in China can access audio files and video material which can be used to monitor thousands of residents in Denmark, and to develop facial recognition and the production of fake news.

PROSA has previously criticised the university for failing to comply with IT security practices on the matter, and the university has, so far, rejected the criticism. According to PROSA, however, the system still has a security breach during high traffic volume periods.

»Legally speaking, we do not doubt that the University of Copenhagen has protected itself. Zoom may not abuse the data. But this just does not mean that it won’t happen,« says Ole Tange, IT policy consultant at PROSA.

Security breach at high traffic volumes

The video service Zoom has faced widespread criticism in the media.

Several countries have limited the use of Zoom because of concerns about data security. Zoom has a large research and development department in China and may therefore have connections to Chinese authorities that could potentially want to spy on Zoom users. To add to this, there are issues like Zoom bombing, where hackers connect up to Zoom meetings and, say, share pornography or other unwelcome content. Zoom has said to the Danish news site Berlingske, however, that the company »takes its users’ privacy, security and trust extremely seriously,« and that a multitude of institutions have examined Zoom’s security measures thoroughly and have chosen to use the service.

Zoom may not abuse the data. But this just does not mean that it won’t happen.

Ole Tange, IT policy consultant at PROSA

The University of Copenhagen has chosen the service, and Zoom is currently the most frequently used video conferencing service at the university, followed by Microsoft Teams and Adobe Connect.

PROSA has criticised the use of Zoom for some time. In the beginning of June, chairman of the association Niels Bertelsen wrote in a featured comment on the Danish section of the University Post that it »opens a gateway for tech giants’ unnecessary surveillance«.

Shortly afterwards, the university’s deputy director for IT Klaus Kvorning Hansen replied that the University of Copenhagen takes data security »very seriously«, and that the university had, for the same reason, entered into a data processing agreement with Zoom via the Danish e-Infrastructure Cooperation (DeiC), a unit under the Ministry for Higher Education and Science to ensure computing, storage and network infrastructure for Danish research, education and innovation.

In the data processing agreement it states that personal data from students and staff at the University of Copenhagen will be stored on Copenhagen servers run by NORDUnet, a collaboration between DeiC and its Nordic sister institutions.

A Freedom of Information request by PROSA to the Danish Agency for Science and Higher Education shows, however, that the programme also uses Zoom’s servers in Stockholm when the system is using high volume.

And this is a problem, according to Ole Tange from PROSA:

»When you use Zoom, you cannot be sure that your data will remain in Denmark. This is a problem if it turns out that Zoom provides data to someone who we are not interested in them having.«

Can be used for facial recognition and fake news

Ole Tange guesses that Zoom has high traffic volume during weekdays between 8 am and 2 pm. This means that the video conversations for which there is no capacity on Danish servers will be channelled to Zoom servers in Stockholm, and can therefore be saved on them. (Zoom users can see where their data ends up by clicking on a small (i) in the left-hand corner of the programme).

There is also the risk that Zoom and its Chinese research and development unit have put in a back door to the software, which means that they relatively easily can make a copy of, say, audio recordings. And this is even though the servers are in Denmark, according to Ole Tange.

The University of Copenhagen has therefore no guarantee that the data cannot be abused, he says, and points to recent revelations that the Danish Defence Intelligence Service FE has been spying on Danes for ten years.

»Trust is just not the same as a guarantee. And I want a guarantee – not just a legal guarantee, but a technical guarantee,« says Ole Tange.

According to Ole Tange, data from online teaching and other Zoom calls can be used for many different purposes: Zoom is recording your voice, and advanced software can abuse the audio file to get you to say something you have not said. This type of technology was used in 2018 in a manipulated video of the former US president Barack Obama.

When you log on to Zoom, it registers your face which can be used for facial recognition purposes. This type of technology is used by Chinese authorities for keeping people under surveillance and pointing them out if they, say, participate in demonstrations.

In addition, it is likely that employees at a large university like the University of Copenhagen, share confidential information about, say, their research projects on Zoom.

Prosa’s proposal is that the university should try out other video conferencing services, where there is a better chance of technically preventing the abuse of data. It could be the service Jitsi, which is open source, so that it is possible to check whether there are back doors in the software, according to Ole Tange. He also says that the Danish government is cautious when it comes to the Chinese Huawei, which has not been allowed to deliver 5G equipment, so they should also be cautious when it comes to Zoom.

This applies in particular to teaching hours where students have to have a microphone and a camera on.

»If there really is no better alternative to Zoom, then we would have to accept it. But I do not think that Klaus Kvorning Hansen argues for it not being possible to use something else,« says Ole Tange.

Why is PROSA getting involved with this case? What interests do you have at stake as a union?

»Sure, we are just a trade union. But we are a trade union for IT professionals, and that’s why we’re getting involved with this issue. We can help specify what problems will turn up, that ordinary people won’t be able to see before in 10-15 years time.«

»We are not Luddites resisting progress. We would just like things done properly,« says Ole Tange.

University supplier: PROSA misunderstanding

Neither the University of Copenhagen, nor the umbrella organisation Danish e-Infrastructure Cooperation (DeiC), accepts the way PROSA describes the issue.

Every day we use an email client or a GSM phone, we risk that bad actors have access to our data.

Martin Bech, head of research and technology, DeiC

While Zoom has security challenges, the external servers in Stockholm are not a security problem, says Martin Bech, head of research and technology at DeiC, who is responsible for the data processing agreement between the University of Copenhagen and Zoom.

»PROSA has misunderstood this. We do not use Zoom’s general infrastructure. We have our own infrastructure and our own servers which are in the greater Copenhagen area.«

Martin Bech says that the servers in Stockholm are leased via Zoom from Amazon, which owns the servers. The servers, however, are an extension of their own installation – they are dedicated servers – and Zoom therefore does not have access to them. The same explanation can be found on Deic’s website.

But the Amazon servers are an expensive solution, according to Martin Bech. And he therefore expects that DeiC will expand its own server infrastructure, so that they, towards the end of 2020, are able to avoid paying for Amazon’s.

So that Zoom can’t get access to the data?

»No. The servers are dedicated to us and managed by us. We make a point of ensuring that Zoom does not have access to people’s data. This is a very specific situation where we have managed to have our own servers via NORDUnet.«

Martin Bech says therefore that Zoom does not have access to the data, as it is only the employees of NORDUnet that have access. But if Zoom had ill intentions, they would be able to get it. But Zoom has this in common with all suppliers of client software and all providers of cloud infrastructure, he says:

»Every time we use an email client or a GSM phone, we risk that bad actors have access to our data. This is the way it is for all the IT infrastructure we use – this is not just for Zoom.«

PROSA not buying it

So DeiC says that according to the data processing agreement, Zoom does not have access to the data because we are talking about dedicated servers that are not part of the rest of Zoom’s commercial activity. But this is not enough for Ole Tange from PROSA.

»There is a legal agreement which states that Zoom will not touch the data because they are placed on a dedicated server. For this reason, DeiC trusts that Zoom will comply with this agreement. Can you say more? I don’t think so.

»If the revelations of Edward Snowden are not enough to have you losing this trust, then what will it take?« says Ole Tange.

UCPH: No security breach

At the University of Copenhagen, deputy director of UCPH IT Klaus Kvorning Hansen rejects the idea that the system has a security breach. Like Martin Bech, he emphasises that the Zoom servers in Stockholm are covered by the same guidelines and agreements as NORDunet’s servers in Denmark, and that this has always been part of the data processing agreement.

»This is not an exceptional case. We need to make sure that Zoom – like all other suppliers – live up to the agreements that we have,« says Klaus Kvorning Hansen.

»This is not an exceptional case.

Klaus Kvorning Hansen, Deputy Director for IT at the University of Copenhagen

Can you be 100 per cent sure that Zoom cannot access your data if they want to?

»We can never do that, and PROSA is absolutely right. We cannot be 100 per cent certain; there are a few rotten eggs. We can never protect ourselves completely. We can only take a lot of precautions and enter into legal agreements,« says Klaus Kvorning Hansen.

He says that the university is doing its best to find a balance between security risks and functionality. In this respect, Zoom is neither worse nor better than other suppliers, he says:

»No matter how much we exert ourselves to protect our data, people with ill intentions who have the necessary access could get hold of our data. It is a constant struggle,« says Klaus Kvorning Hansen, and points to the case of Aalborg University which was recently exposed to a major hack that also hit the University of Copenhagen to a limited extent.