Commission presses Zoom for security assurances but continues to use platform

The European Commission is looking for further assurances from US video conferencing platform Zoom regarding the security of its technology, after concerns emerged earlier this year over the company’s privacy protocols.

Meanwhile, the EU executive has revealed that it still uses the platform for a limited type of video call, despite questions over the security of the software.

The Commission “has asked Zoom for its latest security audit reports and additional information, particularly relating to its encryption controls,” Human Resources Commissioner Johannes Hahn said on Tuesday (6 October), in response to a written question from Italian MEP Mara Bizzotto.

The Zoom platform is still being used by the Commission for “nonsensitive online workshops and webinars,” Hahn revealed, adding that the institution still has licenses for the use of the technology.

This is despite Zoom not being an approved IT solution for use by the Commission’s services, and that internal guidelines have been circulated instructing Commission staff not to use the video conference software for work, according to a report from Politico.

However, Hahn did disclose that Zoom’s contract agreement with the Commission stipulates that online workshops and webinars staged by the executive and held on the platform are “hosted on services located in the EU.”

China and Zoom’s security record

The Commission’s call for Zoom to provide more assurances with regards to its security safeguards and level of encryption comes following the news that a large portion of the company’s research and development activities take place in China, potentially placing EU data at risk of surveillance from national authorities.

Moreover, multiple security flaws have been identified on the platforms since its rapid rise during the coronavirus pandemic, including so-called examples of ‘Zoombombing’ – referring to the unwelcome intrusion into video conference calls by internet trolls, as well as certain data breaches, such as Zoom accounts being sold on the dark web.

This has led to a certain degree of suspicion in Europe. Earlier this year, the German Foreign Office banned the use of the platform, and EU institutions in Brussels have generally distanced themselves from employing Zoom’s tools for video conference formalities that have been carried out while social distancing rules have been in place.

The Commission is understood to prefer Cisco tools such as WebEx and Jabber, as does the European Data Protection Supervisor – the data protection authority for the EU institutions. For multi-lingual public calls, the Commission and the Parliament use the Lithuanian platform Interactio.

In response to the recent concerns, a Zoom spokesperson told EURACTIV that the company is working closely with the EU executive in a bid to mitigate the concerns.

“Zoom is in communications with the European Commission and we are actively engaging with them to provide any information they need to make informed decisions,” the spokesperson said.

For its part, the European Data Protection Supervisor is yet to release any guidance on the use of Zoom within the EU institutions.

However, the use of the platform has provoked the concern of certain national data protection authorities in the EU. In April, Ireland’s Data Protection watchdog revealed that it is liaising with other data protection authorities in Europe on the security of the US video conferencing platform.

Irish Data Protection Commissioner Helen Dixon had reportedly become concerned following reports of third-party hacking into the Zoom platform.

[Edited by Benjamin Fox]

Read more with EURACTIV

Mass surveillance permitted only for national security concerns, EU court says

EU countries are permitted to carry out the indiscriminate transmission and retention of communications data only when there is a 'serious threat to national security', the bloc's highest court ruled on Tuesday (6 October).