Using third-party (not supplied by the vendor for example Zoom, Microsoft, Google Meet or Webex) bots and AI in virtual meetings can offer convenience and efficiency when transcribing and recording meetings. While the idea of automating transcription or automatically generating a to-do list sounds appealing, it is essential to exercise caution and consider the security risks associated with third-party solutions. Examples of third-party bots include:

• OtterPilot also known as Otter.AI
• Fireflies.ai
• Meet Record
• Sembly

This is not a complete list of third-party bots. Any bots not created by Zoom, Microsoft, Google Meet or Webex are third-party.

At this time the Office of Cybersecurity has not reviewed the security and availability of any AI bots for use with sensitive or restricted (HIPAA) data and therefore they should not be added to meetings with those levels of data.

The risks of using meeting bots are similar on all meeting systems. Some of these risks include:

• Bots require access to the following data about users and the meeting participants 
  • Contacts
  • User profiles
  • Calendar access
  • In addition to any content discussed in the meeting (voice recording, voice to text translation, inference of jargon, etc). 

• The data is no longer controlled by the university and could result in data leakage, loss of intellectual property, violation of compliance regulations,  fines, and penalties for the university.
  

Zoom

There are ongoing discussions for the proposal of enabling the AI meeting bot functions in Zoom, known as the Zoom AI Companion, in the UW–Madison instance. If enabled, the tool will be covered by a Business Associates Agreement (BAA) and has been vetted for both HIPAA and non-HIPAA use cases. It would be the only UW–Madison approved bot for meeting use. No other AI meeting assistant bot tools are approved at this time, and all other bots are disabled on the HIPAA side of Zoom. However, vendors can also bypass these blocks.

Blocking Bots from Zoom:

• Meeting hosts should set-up a captcha and lobby for all guests to a meeting. This will prevent most bots from joining meetings. 
• Learn how to enable the captcha and the waiting room settings for your meetings.
• Hosts can remove bots and unknown attendees.

Additional Security Measures:

• Avoid Improper Sharing: Be cautious when integrating meeting information with third-party calendars.
• Waiting Room: Set up a waiting room for meetings with confidential topics. This allows the host to remove unwanted attendees/bots before the meeting starts.

Microsoft Teams

Microsoft Teams does not currently have any approved AI bots, and there are discussions to add Microsoft CoPilot integration to the tool. No other tools are approved, and UW-Madison is not currently disabling any apps.

Google Meet

Google Meet does not currently have any approved AI bots. No other tools are approved, and UW-Madison is not currently disabling any apps.

Webex

Webex does not currently have any approved AI bots. No other tools are approved, and UW-Madison is not currently disabling any apps.

This is a rapidly evolving technology and this document will be updated as changes are made to the systems. For any questions on these topics please contact: rmc-cybersecurity@cio.wisc.edu. To request a Cybersecurity review of a tool, please fill out this form: https://go.wisc.edu/tr9601