Hi, wanted to reopen a topic from a previous thread:
Is there a way to make getMeetingParticipants endpoint available to all roles? Right now it is just limited to Host and Co-host.
My reasoning is: the response array of Participant just contains three fields per participant - the participantUUID, screenName, and role - all of which are already available in the built in Zoom Participants panel.
@h.g I spoke further with our product team and learned that we only allow hosts to access the getMeetingParticipants API due to the screen name field.
Often that field contains PII and the user cannot change the name they are using especially before an app opens. For example, in a workplace context where the first and last name are configured by business admins or user provisioning.
This would then allow participant apps to track potentially legitimate PII throughout meetings would not align with our security and data privacy policies and goals.
@MaxM thanks for tracking it down and the explanation!
I just wanted to share my two cents before closing the thread:
It seems like we are conflating business admin and meeting host here? If there is PII set by the business admin, then they should be the only ones with permissions to read this sensitive data.
Anyone who is not a business admin can host a meeting, and thus are given rights to this data if they are host. If we truly wanted to protect this PII, then this endpoint shouldn’t exist on the ZoomSDK in the first place.
As much as we would love for this endpoint to be available to all, it seems like removing this endpoint altogether might be in the best interest of your legal team? But then again, all the participant names are available to all participants anyways so unsure if there’s a way to dance around this.
I appreciate your thoughts on this! While joining a meeting is implicit consent to give the host and other participants of the meeting your screen name (potential PII) what the user does not consent to is having that PII programmatically exported from the meeting to another system that could potentially do anything they wanted with it.
It’s one thing to have users keeping track of each across meetings. It’s an entirely different issue if we are directly allowing apps to record and track this PII across meetings. Potentially creating a map of meeting interactions or something else equally invasive.
It’s worth mentioning that we are really at the forefront of these data privacy protections and are continually improving our strategy to strike the balance between very secure and very usable.
That is to say, if this isn’t the best way for us to handle this flow we are definitely open to updating our strategy here.