Zoom Security and Privacy Settings

Recommended Meeting Settings for Zoom

ITC recommends the following Meeting Settings to increase the security and privacy of your Zoom meetings and Zoom recordings: Security Settings for Class Meetings in Zoom.

Table of Contents

General Recommendations for Zoom Settings

  • Only sign in with your Dartmouth Zoom account, do not use a personal Zoom account for Dartmouth meetings
  • Use the Zoom client to host and join meetings whenever possible
  • Configure Zoom to disable video sharing by default to prevent inadvertent sharing of video
  • Software Updates
    • Zoom provides a pop-up notification when there is a new mandatory or optional update within 24 hours of logging in.
    • You can check for updates on the Zoom desktop client by clicking your profile picture then click Check for Updates.  If there is a newer version, Zoom will download and install it.  For more information, see Where Do I Download The Latest Version?
  • Zoombombing and Password Stealing
    • Take precautions to prevent uninvited guests from joining your meeting
    • Avoid using your Personal Meeting ID (PMI) to host public events. Your PMI is basically one continuous open meeting that anyone with the link can join at any time, invited or not. Learn about meeting IDs and how to generate a random meeting ID (at the 0:27 mark) in this video tutorial.
    • Only share Meeting IDs with people that you want to join the meeting.  Treat it like a password, do not make it public.
    • In advanced options, only allow authenticated users
    • In advanced options, set up a waiting room.​​​​​​
    • Dartmouth is not aware of any instances of Zoombombing, but if you do fall victim, please report to infosec@dartmouth.edu.
  • For sensitive topics
    • consider disabling the use of phone dial-in numbers
    • consider setting a meeting password and communicating the password to participants through a different mechanism such as slack or text

Zoom is a leader in teleconferencing software but, due to the increased demand for remote conferencing and collaboration tools in the past few weeks, Zoom’s software has come under increased scrutiny.  Listed below are security and privacy information related to Zoom.

Software Vulnerabilities

  • Recommendations Generally
    • Keep software up to date, this ensures you have the latest fixes and patches to address any security issues that have been discovered
    • Turn on automatic updates for all software that supports it
    • If prompted to restart an application for updates do so, as soon as possible
    • Don't click on links from unknown people

Vulnerabilities potentially exist in all software platforms and Zoom is no different in this regard. When a vendor becomes aware of a critical flaw in its software, such as a flaw that would allow someone to take over a camera, the vendor should release an update ASAP.  Zoom is following this practice and has prioritized the patching of many of the issues reported over the last several weeks.

Emergency software patching is one reason why it’s important to keep your software up to date.  This is true for web browsers, browser plugins, operating systems, word processors, the whole range of things.  Often, a vendor will fix a vulnerability and release a patch before it announces the problem.  If your software is up to date, then the problem is fixed before you are even aware of the problem.

Privacy - Encryption, Webcams and Data

Zoom’s privacy settings and practices have also been scrutinized. Specifically, concerns were raised about: lack of clarity on encryption, webcam hijacking, and a lack of transparency regarding its usage of data specifically around the use of Facebook’s Software Development Kit on iOS. Most of these issues have been addressed in an announcement from Zoom on April 1, 2020.  For more information, visit Zoom Privacy Policy.

  • Zoom Encryption
    • By default Zoom is encrypted.
    • In a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, Zoom encrypts all video, audio, screen sharing, and chat content at the sending client, and does not decrypt it at any point before it reaches the receiving clients.
    • When a user joins a Zoom meeting using a device that does not inherently use Zoom’s communication protocol, such as a phone connected via traditional telephone line rather than the application, Zoom’s encryption cannot be applied directly by that phone or device.
    • For more information, see Facts Around Zoom Encryption for Meetings-Webinars?
    • Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.
  • Zoom and Webcam Hijacking
    • Most of the coverage on this topic references an already patched issue raised in August 2019
    • There have not been any recent reports of webcam hijacking in Zoom
  • Zoom and Data Usage
    • Zoom does not sell users' data
    • No data regarding user activity on the Zoom platform – including video, audio, and chat content – is ever provided to third parties for advertising purposes.
    • Zoom does not monitor your meetings or its contents.
    • Zoom complies with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR and the CCPA.
    • Zoom has discontinued use of Facebook except where users have opted to sign in with Facebook in a browser.
    • Unless a meeting is recorded by the host, the video, audio, and chat content is not stored.
    • When a meeting is recorded, it is the host’s choice to store the recording either locally on the host’s machine or in the Zoom cloud.

Details

Article ID: 104405
Created
Mon 4/6/20 12:21 PM
Modified
Thu 4/9/20 9:56 AM