Beware of illegal software, use GDPR-compliant Big Blue Button
Unlawful use of Cisco Webex at university
The data protection officer has checked the use of the video conference software Webex at the Free University of Berlin. Their conclusion is: illegal.
The video conferencing software Cisco Webex used at the Free University of Berlin (FU) does not comply with data protection regulations and is therefore illegal. The Berlin data protection authority informed the University's General Student Committee (AStA) on request.
The data protection authority checked the use of Webex after an application by the AStA in January 2021. The university was informed of the result on November 16, the data protection authority informed the AStA. "In order to find out whether and, if so, over what period of time a continued use of the service appears tolerable, it must be clarified whether the FU can take certain technical and organizational measures that decisively reduce the violation of the fundamental rights of the persons concerned", says it in the letter of the authority.
"One of the problems with the use is that Cisco has not yet ended the illegal transfers of personal data to the USA - as far as the data protection officer can see from the outside - and a non-legally compliant order processing contract is being used. There is also the problem of unauthorized access under European law American authorities, "said Simon Rebiger, press spokesman for the data protection officer, when asked by Golem.de. In addition, contractually unauthorized subcontractors would be used to provide the service. "The current use of Webex Events, Webex Training and Webex Teams by the Free University of Berlin has also assessed the data protection officer as illegal," said Rebiger. Because these are not covered by the order processing contract concluded by the Free University of Berlin. If the FU wanted to continue to use the services, attention was drawn to the fact that the data processing in connection with the software had to be checked and a comprehensive order processing contract had to be concluded, the data protection authority informed the student council.
AStA criticizes the handling of data protection at the FU.
The AStA welcomes the decision. "The FU under the direction of Chancellor Andrea Bör has already noticed problems in dealing with data protection issues in the past. This was also shown by the misconfiguration of the campus management grading system a year ago. The grades of all students were publicly available. The decision of the data protection officer is a necessary corrective for the failure of the FU in this area ", said Janik Besendorf, consultant for data protection and communication of the AStA.
"The AStA FU demands a data-saving solution without compromises. Ideally on servers of the FU", explained the student representatives in a press release. Other universities such as the Berlin HU or some departments of the FU have shown that this is possible by operating instances of the open source video conference software Big Blue Button.
A number of established video conferencing solutions had already failed a short test by the Berlin data protection officer in mid-2020. Services like Zoom, Teams and Skype from Microsoft as well as Google Meet, GoToMeeting, Blizz and Cisco Webex could not be used legally. But there were also alternatives that could be used in a legally secure manner.