Zoom Privacy and Security: Some Remarks as of April 13, 2020

Note: Technology Services maintains the most current Zoom security and privacy guidance at https://go.illinois.edu/ZoomSecurity. Because software evolves quickly, please check that page or consult your IT person for questions concerning the latest Zoom recommendations and feature changes. The following discussion contains information only as of April 13, 2020 and only to address some questions that have arisen.

General Remarks

A Senate IT committee review as of April 13, 2020 of the Zoom platform suggests that Zoom recently experienced significant growing pains as usage of their service increased due to the COVID-19 pandemic. A series of poor design choices left their original platform especially vulnerable to Zoombombing and a number of security problems that have been widely discussed in the local and national news. Since receiving this attention, Zoom appears to have fixed many of its most widely discussed problems. For an exhaustive discussion of these issues and how Zoom responded by April 3rd, see the recent article entitled “Every Zoom Security and Privacy Flaw So Far, and What You Can Do to Protect Yourself.”

In addition, Zoom has recently announced a freeze on developing new features and a shift to focus on security and privacy issues. Zoom has created a webinar that some of you may find helpful, entitled best practices for securing your virtual classroom. Many of the “best practices” described in this webinar are now turned on by default in Zoom. Because issues relating to privacy and security are evolving, Technology Services is maintaining a knowledgebase page about Zoom security practices.

Many of the initial concerns raised in the national media – Zoombombing in particular - have now been addressed in ways that require no further action on your part so long as you have installed the most recent Zoom application. Please contact your local IT support if you need help updating Zoom. Zoom now uses passwords as a default to help prevent Zoombombing. Our review suggests that Zoom has disabled attention tracking, which once used facial recognition algorithms that proved controversial. Zoom no longer bypasses ordinary system installation protections, and we understand that it no longer shares user data with Facebook. The University also has its own contract with Zoom, which means that the terms of our contract are different than for the general public. Among other things, our contract with Zoom explicitly protects the FERPA rights of students.

Here are some additional tips that you may find useful:

Zoom Guidance for Classroom or Other University Uses

• Passwords/Waiting Rooms: When teaching or in other non-public forums, be sure your meeting has a password and be careful about where you distribute that password.
• If you have a lot of participants or need to hold a meeting in “public” (e.g., if you are a Senate committee subject to the Open Meetings Act), you may want to enable the Waiting Room and have staff who can monitor participants and determine which speakers are granted video and audio privileges. 
• Security Button: Get familiar with the new Security button, which appears at the bottom of the Zoom window. This button will allow you to:
• Lock Meeting (prevent new people from joining).
• Enable Waiting Room (which will require you to approve people before they join).
• Enable/Disable Participants to:
• Share Screens (Be sure you know who the participants are before enabling).
• Chat (Be sure you know who the participants are before enabling). In addition, you may want to be careful when using the chat function and let your students know how the chat function works. Though a chat bar can appear to be private, if you record your classroom sessions, the chats will be made public to whomever you release the recordings.
• Rename Themselves (Generally keep disabled to prevent people from using inappropriate renamings).
• Recordings: Record the meeting only if necessary and save only locally on your computer. If you publish a recording more widely, or in a public folder, then your recording will to that extent no longer be private. You may wish to consult your department to determine if your department would like you to record sessions for pedagogical purposes or to ensure asynchronous access by students who are having trouble connecting in real time.
• Manage Participants: Make sure you know how to remove disruptive or offensive individuals from your Zoom meeting and block them by right-clicking on their name in the Participants list.

Additional Zoom guidance for meetings subject to the Open Meetings Act
Meetings that are subject to the Open Meetings Act must be open to the public. For the public to attend, you must publish any meeting password with the meeting link. You should also make sure the Waiting Room is enabled to screen people for real names. Another route that some Committee chairs might use for Senate business is a Zoom Webinar, where only specific people are given the links to be participants who can be seen or heard. Committee chairs should reach out to the Office of the Senate if they would like to discuss such options.

Sensitive Meetings and Vulnerable Populations
Security is always a trade-off between security and functionality. By its nature, all electronic communication has some privacy risks, no matter how secure an application is. For video conferencing, Zoom does not provide end-to-end encryption because of the impact it would have on functionality. If you are meeting about highly sensitive or confidential subject matters or have participants from populations who are especially vulnerable to risks of government surveillance, you should contact the Technology Services Help Desk or your local IT professional for advice before using Zoom. The University is in the process of rolling out a HIPAA-protected Zoom space as well.

Privacy of Zoom within the University
As in the case of other University-wide applications such as Outlook, Compass, and many others, the University has many administrative abilities to provide technical support to our Zoom users and to monitor stability of the application. Those capabilities come with some privacy concerns that are not yet explicitly addressed in the University’s existing policies on this area. (See Appropriate Use of Computers and Network Systems and Privacy Policy.) To address these issues, the Senate IT committee has put in a request to the Office of the Provost to begin a privacy and data management policy review and recommend modernizations of these policy in coordination with the Senate.

Alternatives to Zoom
If you do not wish to use Zoom for any reason, the University’s Skype for Business and Microsoft Teams are alternatives that offer video conferencing. Here is information on scheduling a Skype for Business meeting. Technology Services also has a guide for getting started with Microsoft Teams. Platforms that are not University-approved may be against University policy, depending on how they are used, and may have issues with accessibility, security, and privacy. If you have particular questions about alternatives and whether they are consistent with University policy, please contact your IT person.