Zoom video conferencing: Best practices for privacy and security
PAUL MUIR, IT SECURITY MANAGER AND INFORMATION SECURITY OFFICER, McMASTER UNIVERSITY
This page was updated on August 25, 2020
Privacy and information security for the McMaster community are of paramount importance. With the recent addition and availability of the Zoom video conferencing service, some privacy concerns have been raised by the campus community, including Zoom routing encryption keys through servers in Beijing, China, among other surveillance and censorship concerns.
This article provides Zoom users with some best practices to protect their privacy and make their Zoom sessions as secure as possible.
McMaster’s campus-wide license
Accessing Zoom through the McMaster campus-wide license adds a layer of security, compared to an individual account, as it limits external access and surveillance. The McMaster IT Security team recommends Zoom for open or public-facing sessions. Please see the Zoom support page for other ways to make your meetings as secure as possible within this platform.
Zoom bombing
Zoom bombing is when an uninvited participant joins a Zoom web conference anonymously and disrupts the meeting with unwanted language and content sharing. This practice has gained a lot of attention in the media because of a few unfortunate incidents in online lectures hosted by other higher education institutions.
To prevent Zoom bombing, customers of the service are advised familiarize themselves with the security features on the service and to manage attendance and the actions of participants within each Zoom web conference:
- Use the Waiting Room feature to manage who can join and to prevent unwanted visitors from participating in web conferences.
- Control how participants share content by preventing sharing or by requiring that they request permission before sharing.
- Learn how to mute participants to prevent unwanted messages in the chat window and how to remove participants that are disruptive.
For more guidance on the prevention of Zoom bombing please review this article.
Use of personal information for the purposes of advertising
Many websites track your access to their site. For example, third-party services such as Google Analytics, Facebook and DoubleClick, track your surfing habits to drive targeted advertising. For a more detailed overview about how trackers work and the information that they collect please review the following article on how these third party platforms track what you do on the web.
Zoom does use some of these services, however these services are NOT used at the https://mcmaster.zoom.us login page. Google Analytics is used after you have logged in.
If you would like to prevent web advertisers from tracking your surfing habits, we recommend using a privacy browser extension such as Privacy Badger. Privacy Badger is available for most commonly used browsers and will prevent third-party trackers from accessing your information. Using Privacy Badger does not affect the ability to join a Zoom call, nor does it impact audio and video quality while in a conference or meeting.
The Zoom iOS app also collects and sends information to Facebook each time the app is used. This is common to many iOS apps and not unique to Zoom. The Zoom Privacy Policy is not clear on this, and hosts and participants using the iOS app shold be aware that this collection is occurring.
Hosts being able to track focus of participants
With this feature, the meeting host can determine if participants are being attentive to the conference or meeting, or if they are doing other things while listening in. This feature is disabled and not available for use by McMaster users.
Session recording
Hosts have the ability to record Zoom sessions and are advised to be transparent with participants when doing so. Hosts also have the ability to grant participants to record sessions and to store those recordings on the participant’s local computer. Hosts are likewise advised to be transparent with all participants when granting such permissions to individual participants.
It is possible for participants to use third party applications to record sessions without the host’s permission or knowledge. This risk exists with all web conferencing services and is not unique to Zoom. Hosts should be aware of this risk and manage the content shared within the service accordingly. We will continue to identify opportunities to configure the Zoom service to improve the privacy of hosts and participants as it relates to recording.
Have questions?
The IT Security team continues to explore ways in which security can be improved within the Zoom platform and will update these best practices with up-to-date information. If you have questions or concerns, please contact the University Technology Services technical support team at uts@mcmaster.ca.
Additional resources
- Zoom Privacy Policy – https://zoom.us/privacy
- Zoom privacy statement for Canadian customers – https://zoom.us/docs/doc/PIPEDA_PHIPA%20Canadian%20Public%20Information%20Compliance%20Guide.pdf
- Zoom Security Information – https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
- Zoom Terms of Service – https://www.zoom.us/terms
- Electronic Frontier Foundation – What you should know about online tools during COVID-19 https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-online-tools-during-covid-19-crisis
- Security Boulevard – Using Zoom? Here are the privacy issues you need to be aware of https://securityboulevard.com/2020/03/using-zoom-here-are-the-privacy-issues-you-need-to-be-aware-of/