Skip to main content

Technology at SCU

Statement on Zoom Security and Privacy

Zoom is Santa Clara University's official video and web conferencing service. We have been tracking reports and news coverage of privacy and security concerns with Zoom. This FAQ provides a list of those concerns with our responses. It will be updated as more are received.

At this time, the Information Security team uses Zoom daily. We endorse the use of Zoom, using SCU's enterprise license, for remote instruction and work. In discussions with other college and university Information Security leaders, most agree that Zoom is an appropriate work and instructional collaboration tool.

Please feel free to email the Information Security office at iso@scu.edu to submit additional questions to be answered here.

This question has arisen primarily from news coverage about a feature in the iOS Zoom app which shared device data with Facebook. This feature has been removed. Prior to this change on March 27, Zoom was using a common software development kit (SDK) from Facebook to enable login functionality using a Facebook account. That Facebook SDK included default data collection.

As a direct result from the public concern, Zoom investigated the situation and recognized the issue. They opted to re-engineer their application to no longer leverage the Facebook SDK. They do still allow for Facebook accounts to be used for the consumer version, but the device data is no longer shared and no data is shared if Facebook login is not used.

Zoom released a public statement on their blog about the use of Facebook's SDK and their decision to change.

 

 

 

This concern primarily stems from news coverage of the privacy policy Zoom had published on their website.

In general, users should always be aware of the privacy policies for services they access. However, University members should also be aware that when we license a service such as Zoom, we enter into a contractual agreement that provides additional protections to data and privacy beyond what is available in consumer versions. While Zoom already does not sell or share data from meetings, they also cannot use other data that we have provided them beyond delivering their service to you.

Here is Zoom's statement.

Using the SCU licensed version of Zoom (by logging into Zoom following these instructions) protects you and SCU under our Enterprise contract.

 

This concern primarily stems from news coverage of how Zoom describes their security for meetings and webinars.

In documentation, as well as their applications, Zoom makes references to "end-to-end encryption" (also known as "E2E encryption"). As with many aspects of technology, commonly understood terms or phrases can also have highly specific technical requirements to be valid. Many researchers felt that Zoom's description of end-to-end description was disingenuous. Zoom does enlist encryption in many ways, but in some instances falls short of true end-to-end encryption, for example with phone calls into Zoom sessions.

Zoom's statement on end-to-end encryption states:

"To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients."

See the next section, "Is Zoom safe for confidential meetings?" for additional information.

This concern primarily stems from an assessment conducted by The Citizen Lab, a research entity at the University of Toronto.

The research that was conducted by members at The Citizen Lab, examined the encryption technology that the Zoom service uses. In their findings, the researchers identified a method in which they could possibly compromise the encryption that secures the audio and video of Zoom meetings. They also shared that the encryption keys that are created by Zoom for each session can come from servers located in China. Zoom has subsequently created "geofencing" to prevent communication with servers located in China, and have released a statement that they are working to improve their encryption.

We continue to recommend Zoom as an acceptable tool to deliver University work and instruction. We will continuing to monitor this issue, will closely follow Zoom’s development, and provide updates as information becomes available. 

This concern primarily stems from news coverage of how the Zoom meeting chat could be used to obtain the hash of a user's credentials from a Windows computer if a participant clicked on a specially crafted link. This link was a Windows file location link, not a web link. Zoom has subsequently updated their Windows client software to prevent this issue. To verify you have the latest Zoom client, please reference the Zoom set-up instructions; at the bottom of that page is a section on how to check for updates.

This concern primarily stems from news coverage of how a macOS computer with Zoom installed could have its camera and microphone enabled without knowledge of the user.

The security researcher that identified this vulnerability also noted that it requires the device to already be compromised in some fashion. The attacker must either have physical access to the macOS computer or have remote access through some other means.

Zoom has not yet released a public statement.

We recommend users ensure their devices are physically safe and not compromised with malicious software to mitigate this attack method.

This concern has been highlighted by a report from the Washington Post that described confidential Zoom recordings that were stored online and publicly available. 

This appears to be related to Zoom customers making these recordings public (either intentionally or accidentally), rather than due to Zoom's default practice. Zoom cannot control how customers store recordings after the fact.

 

 

These concerns relate to default meeting settings. Zoom meetings have bedn joined by malicious actors who were able to guess meeting IDs or found them publicly posted online, and then joined and disrupted active meetings. This was possible because Zoom did not require passwords on meetings by default.

We recommend you add a password to your Zoom session and only share the Zoom link to your intended participants by Email or via another secure location, such as your class session in Camino. 

Beginning on April 17, passwords will be enabled on all new Zoom meetings going forward. Existing meetings will not be changed, but you can add passwords to existing meetings yourself.

Yes, before SCU licensed Zoom, other options including WebEx were evaluated. Zoom was the clear winner in ease-of-use, manageability, and over all software capabilities. 

No software product is without security bugs. WebEx has had significant security flaws as recently as this year. Both Cisco and Zoom take the security of their products seriously, and regularly patch their software to fix known flaws. Both companies have designed their products for enterprise use, not consumer use.

The enormous rise in popularity of Zoom in recent months speaks to the ease of use of their product. Some of that no doubt is from consumers using the free version, which does not have the same privacy and security controls that our license provides. Our enterprise version of Zoom is secure and is appropriate for instruction and general purpose remote work. 

This relates to an optional feature Zoom provided in advanced meeting settings and it was not enabled by default. If enabled by the meeting host (the meeting creator), that host could identify if a participant didn't have the Zoom window as the foremost active window for more than 30 seconds. Zoom has permanently removed this feature.

Summary

We don't believe that the issues above warrant abandoning Zoom for other alternative. Most of these issues are low to medium issues that have garned attention because of the explosive growth of Zoom's platform over the past month, or relate to settings that have always been user-controllable. Zoom has demonstrated a serious commitment to the security of their platform. They have been forthright and transparent about their efforts toward restoring trust. Additionally, all software has bugs. The fact is that we would have to stop using Windows and Mac computers, Apple and Android smartphones, and really any other technology device if we expected zero security issues. More important is that when issues are raised, companies deliver prompt updates to secure their products. We believe Zoom passes this test.