Zoom Privacy and Security Guidance

Privacy and information security for the York community are of paramount importance. With the recent move to online courses via the Zoom video conferencing service, some privacy and cybersecurity concerns have been raised by the campus community. This article addresses some of these concerns and provides guidance to help protect their privacy and the privacy of others. Please find below some of the common issues raised to our support teams, along with advice for members of our community using Zoom.

Zoom bombing

Zoom bombing is when an uninvited participant joins a Zoom meeting anonymously for the purposes of disrupting the meeting with language and/or sharing disturbing content. To help minimize the potential for this, we recommend the following:

  1. Use random meeting ID instead of a personal meeting ID.
  2. Use the feature to require a passcode for the meeting.
  3. Make use of the waiting room feature.
  4. Under Schedule Meeting, Enable Only Authenticated Users Can Join and choose Passport York.
  5. Do not re-use passwords for multiple meeting URLs.
  6. Do not post zoom meeting links on publicly available sites.
  7. Add registration to classes for attendees to register instead of posting a generic zoom meeting URL.
  8. Mute all participants that are already in the meeting as well as new participants joining the meeting. Do not allow participants to unmute themselves.
  9. Disable private chat. This is to prevent anyone from getting unwanted messages during the meeting.
  10. Restrict screen sharing.
  11. Report a participant during a meeting.

As a host, you can also control who has access to share content as well as ability to unmute or remove participants. See more info from Zoom here.

Malicious links over Zoom chat

Zoom's chat feature can be used to share links to resources, and an attacker who gains access as a participant to a meeting can send links that point to malicious content. Users should take care and avoid clicking on unsolicited links in Zoom chat, similarly as they would with links sent via email. Hosts can use features described above to manage participants and help prevent misuse by unauthorized individuals.

Use of personal information for the purposes of advertising

Many websites track your access to their site. For example, third-party services such as Google Analytics, Facebook and DoubleClick, track your surfing habits to drive targeted advertising. For a more detailed overview about how trackers work and the information that they collect please review this article on how these third party platforms track what you do on the web.

Zoom does use some of these services, however these services are NOT used at the https://yorku.zoom.us login page. Google Analytics is used after you have logged in, similarly to many other websites at York and in common use on the Internet.

The Zoom iOS app was noted to collect and send device information to Facebook each time the app is used, similarly to many other mobile apps, however Zoom has discontinued that by removing the Facebook SDK according to their statement.

Hosts being able to track focus of participants

With this feature, the meeting host can determine if participants are being attentive to the conference or meeting, or if they are doing other things while listening in. This feature is disabled and not available for use by York Zoom users.

Session recording and storage

Hosts have the ability to record Zoom sessions and are advised to be transparent with participants when doing so - to assist with this, York's Zoom instance is configured to automatically inform users when the host begins or stops recording, or when users join a meeting where recording is in progress. When recording "to the cloud", please note that Zoom cloud storage is used and is located in the United States. Alternatively, it is possible to record to the local computer instead - such local recordings can be synced to the York's OneDrive cloud storage which is hosted by Microsoft and located exclusively in Canada. Hosts also have the ability to grant participants to record sessions and to store those recordings on the participant’s local computer. Hosts are likewise advised to be transparent with all participants when granting such permissions to individual participants.

It is possible for participants to use third party applications to record sessions without the host’s permission or knowledge. This risk exists with all web conferencing services and is not unique to Zoom. Hosts should be aware of this risk and manage the content shared within the service accordingly. We will continue to identify opportunities to configure the Zoom service to improve the privacy of hosts and participants as it relates to recording.

Have questions?

The Information Security team continues to explore ways in which security can be improved within the Zoom platform and will update these best practices with up-to-date information. If you have questions or concerns, please contact UIT at: askit@yorku.ca.

Additional resources

Updates

[Mar 30 2020] According to Motherboard, Zoom says it has removed the Facebook SDK from its iOS application that was used to allow logins from Facebook and was unaware of the device data collection occurring while that was in use. Article above was updated with this new information.

[Mar 30 2020] Added mention of York's Zoom setting that informs users when the host is recording a meeting. Added note on Zoom bombing.

[Apr 1 2020] Updated Zoom bombing info and added note on malicious links.

[May 28 2020] Updated Zoom bombing info.

[Sept 14 2020] Added note on Zoom bombing.