Zoom Security
As people worldwide adjust to working, learning, teaching, and socializing remotely, videoconferencing tools, and Zoom in particular, have become more and more ubiquitous.
Jump to a Section
Zoom Security Issues and Updates
Alongside the uptick in Zoom’s use, there are growing concerns about the software, which range from protection against “Zoombombing” to concerns about the security of the application and lack of transparency in their privacy policy.
CCA’s Technology Services and Academic Technology departments are actively monitoring these issues and evaluating how they may impact the CCA community.
At this time, Zoom remains CCA’s recommended videoconferencing platform for staff, students, and faculty.
Zoom has already taken steps to resolve some of the most concerning security and privacy issues, and new configurations are available to protect against unauthorized meeting participants.
All software companies regularly push updates or fixes when security flaws are discovered. Zoom’s recent widespread use has in some ways led to increased scrutiny, and while concerns about the software remain, they have generally addressed such issues rapidly.
Securing Your Zoom Meetings: Resources to Get You Started
Zoom has prepared a number of resources to help users maintain and protect their meetings. Here are a few highlights:
- Zoom’s Covid-19 Support and Training Hub - videos, webinars, documentation, and blog posts to help you use Zoom effectively for remote working and teaching contexts.
- New, simplified security features for hosts - making it easier for hosts to secure their meetings from a single Security toolbar.
- Keeping Unwanted Guests Out of Your Zoom Meetings - tips, tricks, and available options to lock down your meetings.
- Zoom blog post on recent security issues - including a summary of fixes, updates, and links to helpful documentation.
Outlined below are some of the recent Zoom user concerns. Updates and additional tips have been provided where relevant.
Data Privacy Issues
Privacy Policy Ambiguity
Zoom’s privacy policy has come under fire for its ambiguity regarding just how and where it collects, shares, and/or sells your personal data.
Updates:
- Zoom recently updated their privacy policy to provide more clarity, which you may read in full here.
Personal Data Collection and Third-Party Tracking Tools
Zoom’s marketing websites (for example, zoom.com) collect user data from cookies and other analytics and tracking tools, which it may sell or otherwise make available to third-parties for advertising purposes.
Updates:
- Zoom does not sell data collected from your meetings to third-parties.
- This is—for better or worse—standard industry practice. Zoom does meet minimum legal requirements in this regard, as you can adjust your browser’s cookie settings and otherwise opt out of any targeted advertisements you receive as a result of Zoom’s data collection.
- Read our guide on Managing Cookies on Your Browser to learn more.
Zoom’s iOS App Sending User Data to Facebook
Zoom’s mobile application for iPhones made use of Facebook’s Software Development Kit to enable users to log in using their Facebook account. It has since been discovered that Facebook SDK was collecting user data even when the user didn’t have a Facebook account or otherwise engage with the Facebook login feature.
Updates:
- Since becoming aware of this issue, Zoom has reconfigured this feature to avoid unnecessary data collection by Facebook. Read more about the changes here.
Undisclosed Data-Mining with LinkedIn Sales Navigator
Upon signing in to a meeting, Zoom automatically collected user information to match them to their LinkedIn profile. A Zoom application called the LinkedIn Sales Navigator enabled users to view other meeting participants’ LinkedIn profile data during meetings and without their permission.
Updates:
- Zoom has since discontinued this application permanently.
Security Issues
Attention Tracking Feature
Zoom had a feature by which meeting hosts could track whether attendees had navigated away from the Zoom window for a certain period of time.
Updates:
- Zoom has since removed this feature. Read more about this change here.
Malicious Links in Zoom Chat
A vulnerability was discovered by which someone could post a malicious link into a Zoom meeting’s chat log, using it to steal a user’s Windows credentials through what is known as a UNC path injection attack.
Updates:
- Zoom has pushed a patch to resolve this issue. You can read more about this issue and its resolution here.
- Practice the same caution before clicking links in Zoom chat as you would in your email. If you don’t recognize the sender, don’t click!
Mac Client Issues
In July, 2019, a security problem in Zoom on Mac computers was widely reported. The flaw allowed a web page to launch a meeting and start streaming audio and video from your computer.
Updates:
- Zoom pushed a fix for this problem shortly after it was widely reported.
End-to-End Encryption
Zoom had security settings available to enable end-to-end encryption for meetings, but the encryption provided was not in fact end-to-end as it is generally understood.
Updates:
- Zoom has since clarified its current encryption capabilities and outlined some ways in which they plan to further develop their encryption.
Access to Recordings Posted Online
Concerns have arisen regarding unfettered access to view/download Zoom recordings that have been posted online.
Updates:
- If you wish to make a Zoom recording available for users to view, be mindful about access. Follow CCA’s data sharing and storing guidelines.
- Know your responsibilities with regard to other participants in the recording. Keep in mind any legal obligations you may have regarding disclosure of personal identifying information, and obtain consent as needed.
Configuration Issues
Preventing Zoom-bombing
With increasing frequency, unauthorized users have gained access to open and/or public Zoom meetings, posting and/or showing inappropriate or otherwise malicious content.
Updates:
- Zoom has rolled out a number of features and default settings to prevent Zoom-bombing.
- Additional documentation addresses the ways you can customize and manage your meeting security settings. See Zoom’s recent blog post on ways hosts can effectively manage and secure their meetings.
- Zoom has also developed a feature to streamline security settings for hosts.
- CCA is evaluating default software configurations.