Zoom Security and Privacy Settings

Summary

Recommendations and answers to recent questions related to security and privacy in Zoom

Body

Recommended Meeting Settings for Zoom

ITC recommends the following Meeting Settings to increase the security and privacy of your Zoom meetings and Zoom recordings: Security Settings for Class Meetings in Zoom.

Table of Contents

General Recommendations for Zoom Settings

  • Only sign in with your Dartmouth Zoom account (@dartmouth.edu) do not use a personal Zoom/email account for Dartmouth meetings
  • Use the Zoom client to host and join meetings whenever possible. Login to the Zoom client with the SSO button on the login screen. 
  • Configure Zoom to disable video sharing by default to prevent inadvertent sharing of video (Settings->Video->Stop my video when joining a meeting)
  • Software Updates
    • Zoom provides a pop-up notification when there is a new mandatory or optional update within 24 hours of logging in.
    • You can check for updates on the Zoom desktop client by clicking your profile picture then click Check for Updates.  If there is a newer version, Zoom will download and install it.  For more information, see Where Do I Download The Latest Version?
    • ITC recommends keeping your Zoom client up to date for the best security and feature sets. Enable auto-updates by going to Settings->General->Zoom Updates
  • Zoombombing and Password Stealing
    • Take precautions to prevent uninvited guests from joining your meeting: Avoid posting the Zoom meeting link on Social Media such as Twitter or Facebook.
    • Do not use your Personal Meeting ID (PMI) to host public events. Your PMI is basically one continuous open meeting that anyone with the link can join at any time, invited or not.
    • Only share Meeting IDs with people that you want to join the meeting.  Treat it like a password, do not make it public.
    • In advanced options within Settings, only allow authenticated users. Learn more about authentication settings here.
    • In advanced options, set up a waiting room.​​​​​​
    • Please report any instances of Zoombombing to InfoSec - Report Zoom Bombing
  • Security Settings for Class Meetings - Click here for more info
  • For sensitive topics
    • consider disabling the use of phone dial-in numbers
    • consider setting a meeting password and communicating the password to participants through a different mechanism such as slack or text
    • consider sharing the actual meeting link closer to the event date

See below for more security and privacy information related to Zoom.

Software Vulnerabilities

  • Recommendations Generally
    • Keep software up to date, this ensures you have the latest fixes and patches to address any security issues that have been discovered
    • Turn on automatic updates for all software that supports it
    • If prompted to restart an application for updates do so, as soon as possible
    • Don't click on links from unknown people

Vulnerabilities potentially exist in all software platforms and Zoom is no different in this regard. When a vendor becomes aware of a critical flaw in its software, the vendor should release an update ASAP. 

Emergency software patching is one reason why it’s important to keep your software up to date.  This is true for web browsers, browser plugins, operating systems, word processors, etc.  Often, a vendor will fix a vulnerability and release a patch before it announces the problem.  If your software is up to date, then the problem is potentially fixed before you are even aware of the problem.

Privacy - Encryption, Webcams and Data

  • Zoom Encryption
    • By default Zoom is encrypted. See details about Zoom's End-to-End encryption here
    • In a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, Zoom encrypts all video, audio, screen sharing, and chat content at the sending client, and does not decrypt it at any point before it reaches the receiving clients.
    • When a user joins a Zoom meeting using a device that does not inherently use Zoom’s communication protocol, such as a phone connected via traditional telephone line rather than the application, Zoom’s encryption cannot be applied directly by that phone or device.
    • Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.
  • Zoom and Data Usage
    • Zoom does not sell users' data
    • No data regarding user activity on the Zoom platform – including video, audio, and chat content – is ever provided to third parties for advertising purposes.
    • Neither Zoom or Dartmouth monitor your meetings or its contents.
    • Zoom complies with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR and the CCPA.
    • Unless a meeting is recorded by the host, the video, audio, and chat content is not stored.
    • When a meeting is recorded, it is the host’s choice to store the recording either locally on the host’s machine or in the Zoom cloud.

Details

Details

Article ID: 104405
Created
Mon 4/6/20 12:21 PM
Modified
Tue 6/14/22 10:57 AM

Related Articles

Related Articles (2)

How to report Zoom Bombing.
This article covers recommended security settings for class meetings and office hours and for the secure handling of class meeting recordings.