Zoom Privacy and Security

Key Points: York's Zoom service is hosted on servers in Canada and the US Zoom recordings and whiteboards saved after May 4, 2022 are stored in Canada Zoom uses end-to-end encryption to safeguard content shared between participants Zoom's participant focus tracking feature is disabled in York's Zoom service

Zoom Security Controls

Using one or more of the below security controls is recommended to help protect the integrity of your Zoom meetings.

1. Require a passcode for the meeting and do not re-use passcodes across multiple meetings.
2. Make use of the waiting room feature.
3. Under Schedule Meeting, Enable Only Authenticated Users Can Join and choose Passport York.
4. Do not post zoom meeting links on publicly available sites.
5. Use the setting to mute participants upon entry.
6. Add registration to classes for attendees to register instead of posting a generic zoom meeting URL.
7. Disable private chat to prevent anyone from getting unwanted messages during the meeting.
8. During a meeting:
   1. Restrict screen sharing.
   2. Stop a participant's video.
   3. Lock the meeting.
   4. Remove a participant.
   5. Report a participant.

See more info on security controls from Zoom here.

Other Security and Privacy Notes

Malicious links over Zoom chat

Zoom's chat feature can be used to share links to resources, and an attacker who gains access as a participant to a meeting can send links that point to malicious content. Users should take care and avoid clicking on unsolicited links in Zoom chat, similarly as they would with links sent via email. Hosts can use features described above to manage participants and help prevent misuse by unauthorized individuals.

Use of personal information for the purposes of advertising

Many websites track your access to their site. For example, third-party services such as Google Analytics, Facebook and DoubleClick, track your surfing habits to drive targeted advertising. For a more detailed overview about how trackers work and the information that they collect please review this article on how these third party platforms track what you do on the web.

Zoom does use some of these services, however these services are NOT used at the https://yorku.zoom.us login page. Google Analytics is used after you have logged in, similarly to many other websites at York and in common use on the Internet.

The Zoom iOS app was noted to collect and send device information to Facebook each time the app is used, similarly to many other mobile apps, however Zoom has discontinued that by removing the Facebook SDK according to their statement.

Hosts being able to track focus of participants

With this feature, the meeting host can determine if participants are being attentive to the conference or meeting, or if they are doing other things while listening in. This feature is disabled and not available for use by York Zoom users.

Session recording and storage

Hosts have the ability to record Zoom sessions and are advised to be transparent with participants when doing so - to assist with this, York's Zoom instance is configured to automatically inform users when the host begins or stops recording, or when users join a meeting where recording is in progress. When recording "to the cloud", please note that Zoom cloud storage is used. Zoom recordings and whiteboards created since May 01, 2022 are stored in Canada instead of the United States, where they were stored before. Alternatively, it is possible to record to the local computer instead - such local recordings can be synced to the York's OneDrive cloud storage which is hosted by Microsoft and located exclusively in Canada. Hosts also have the ability to grant participants to record sessions and to store those recordings on the participant’s local computer. Hosts are likewise advised to be transparent with all participants when granting such permissions to individual participants.

It is possible for participants to use third party applications to record sessions without the host’s permission or knowledge. This risk exists with all web conferencing services and is not unique to Zoom. Hosts should be aware of this risk and manage the content shared within the service accordingly. We will continue to identify opportunities to configure the Zoom service to improve the privacy of hosts and participants as it relates to recording.

Have questions?

The Information Security team continues to explore ways in which security can be improved within the Zoom platform and will update these best practices with up-to-date information. If you have questions or concerns, please contact UIT at: askit@yorku.ca.

Additional resources

• Zoom Privacy Policy – https://zoom.us/privacy
• Zoom privacy statement for Canadian customers – https://zoom.us/docs/doc/PIPEDA_PHIPA%20Canadian%20Public%20Information%20Compliance%20Guide.pdf
• Zoom Security Information – https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
• Zoom Terms of Service – https://www.zoom.us/terms
• Electronic Frontier Foundation – What you should know about online tools during COVID-19 https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-online-tools-during-covid-19-crisis
• Tips for meeting hosts https://blog.zoom.us/wordpress/2020/03/20/keep-the-party-crashers-from-crashing-your-zoom-event/
• York's OneDrive cloud storage with yuoffice https://yuoffice.yorku.ca/onedrive/