Managing third-party meeting bots

This document describes how to handle third-party AI bots in web meetings such as Zoom, Microsoft Teams, Google Meet, and Webex.

Using third-party (non-vendor-supplied) bots and AI in virtual meetings can offer convenience and efficiency for transcription and recording. While automating transcription or generating to-do lists sounds appealing, exercise caution and consider the security risk of these tools. Examples of third-party bots include:

  • OtterPilot, also known as Otter.AI
  • Fireflies.ai
  • Meet Record
  • Sembly

This is not a complete list of third-party bots. Any bots not created by Zoom, Microsoft, Google Meet, or Webex are third-party.

The Office of Cybersecurity has not reviewed the security and availability of any third-party AI bots for use with sensitive or restricted (HIPAA) data and, therefore, they should not be added to meetings with those levels of data.

The risks of using meeting bots are the same across all meeting systems. Some of these risks include:

  • Bots require access to the following data about users and the meeting participants: 
    • Contacts
    • User profiles
    • Calendar access
    • In addition to any content discussed in the meeting (voice recording, voice-to-text translation, inference of jargon, etc.). 

  • Any data collected by third-party bots is no longer controlled by the university and could result in data leakage, loss of intellectual property, violation of compliance regulations, fines, and penalties for the university.

Zoom

The Zoom AI Companion, has been enabled within the UW–Madison instance. This tool is covered by a Business Associates Agreement (BAA) and has been vetted for both HIPAA and non-HIPAA use cases. It is the only UW–Madison approved bot for third-party meeting use. No other AI meeting assistant bot tools are approved for use within Zoom at this time, and all other bots are disabled on the HIPAA side of Zoom. However, vendors can also bypass these blocks.

Blocking Bots from Zoom:

  • Meeting hosts should set-up a captcha and lobby for all guests to a meeting. This will prevent most bots from joining meetings. 
  • Learn how to enable the captcha and the waiting room settings for your meetings.
  • Hosts can remove bots and unknown attendees.

Additional Security Measures:

  • Avoid Improper Sharing: Be cautious when integrating meeting information with third-party calendars.
  • Waiting Room: Set-up a waiting room for meetings with confidential topics. This allows the host to remove unwanted attendees/bots before the meeting starts.

Microsoft Teams

Zoom AI Companion can be invited to Teams meetings and is approved and enabled to work in this capacity. No other tools are approved and UW-Madison may disable third-party apps for security purposes. 

Google Meet

Zoom AI Companion can be invited to Google Meet meetings and is approved and enabled to work in this capacity. No other tools are approved and UW-Madison is not currently disabling any apps.

Webex

The Cisco AI Assistant has been enabled in Webex in the UW-Madison instance. This tool is covered by a Business Associates Agreement (BAA) and has been vetted for both HIPAA and non-HIPAA use cases. No other tools are approved for use within Webex and UW-Madison is not currently disabling any apps.

This is a rapidly evolving technology and this document will be updated as changes are made to the systems. For any questions on these topics please contact: rmc-cybersecurity@cio.wisc.edu. To request a Cybersecurity review of a tool, please fill out this form: https://go.wisc.edu/tr9601


Keywords:
Otter.AI fireflies.ai meet record Sembly zoom bot ai transcription 3rd-party webex teams 
Doc ID:
136072
Owned by:
John N. in Cybersecurity
Created:
2024-03-15
Updated:
2026-01-06
Sites:
Office of Cybersecurity