FAQ on Zoom, Privacy, and Security at UC Davis

These FAQs are intended for faculty and instructors who use Zoom for teaching.

Changes made to this Version 7 published for the week of 06/26/2020 (also included in FAQ#20)
  New FAQ added:
-   #6: In terms of Privacy and Security, is it better to use the web app as opposed to downloading and using the Zoom app?

Updated FAQs:
-   #1: updated to reflect the most current version of Zoom. Version 5.0.5 was released on June 2, 2020; consolidated FAQ#15 with FAQ #1.
-   #5: What do I do if I have been Zoombombed is moved to FAQ#3.
-   #4: added a tip on how to prevent participants from inviting other users during a meeting.
-   #5: updated to include new Zoom privacy features in version 5.0.5 released on June 2; adds guidance regarding data subject access requests and Zoom legal obligation to investigate any complaints received that indicate child exploitation; consolidated FAQ#18 with this FAQ #4.  
-   #8: updated to include Respondus as a digital technology now available for proctoring exams.
-   #12: updated to include that campus Zoom accounts do not have the security levels to store personal health info and meetings with this info should not be recorded; recordings should be deleted once they are no longer needed for their educational purpose; campus Zoom IT administrators can access all cloud recordings associated with your faculty account but must seek your consent or follow Policy and Procedure Manual Section 310-14 before accessing; incorporates FAQ#13 into this FAQ#12.  

  • 1.  What are the top 10 things that I can do to ensure security and privacy of my Zoom sessions?
  • 1  Use the most current version of Zoom (see How do I update my Zoom application).  It is important to manually update, as your Zoom app may not automatically update; as of June 2, 2020, the most current version is 5.0.5. Note: On May 30, 2020, all users were required to be on Zoom 5.0 or above to join meetings (More information from Campus IET is available here).
    2  Do not post Zoom links or invites on social media or public websites (see How to Secure the Zoom Meeting Information section 2.7);
    3  Use a unique ID for each meeting instead of using your Personal Meeting ID or PMI (see How to Control who can join your meeting, section 2.2);
    4  Use meeting passwords (see How to Control who can join your meeting, section 2.1);
    5  Avoid recording; if you must record, password-protect the recording and rename the saved recording (see How do I secure my Zoom Recording);
    6  Turn off embed password in meeting link (if applicable). This will force users to type in a password rather than have one click access.  (see How to Disable Embed password in meeting link, section 2.5);
    7  Enable Waiting Rooms and have the host allow users in one by one, or all at the same time, once all attendees have been verified (see How to Use a Waiting Room, section 2.6);
    8  Lock meetings once all participants have joined, if applicable (see How to Secure the Zoom Meeting Information, section 2.7);
    9)  Disable file transfer settings during zoom meetings (see How to Control what participants can do in your meeting, section 3.4);
    10  Contact your Zoom instance administrator.  Each College at UC Davis has one administrator.  See here for their contact info.
    11  Other security and privacy tips:

    -   Require meeting registration for large meetings, or non-instruction sessions (e.g., webinars) where the audience is not predetermined.  Guidance on how to setup meetings that require registration is available here.
    -   Consider updating your Zoom default settings.  Guidance on recommended default settings is available here.
    -   The Scheduling Privilege feature in Zoom allows one individual to be given delegated rights to schedule meetings for another individual.  When the privilege is granted, the delegate can see details of all meetings scheduled under the delegator’s account.  Privacy-protection options include: (1) omit confidential information from the Topic/Description fields, or (2) train and/or notify the delegate of privacy and confidentiality requirements and needs.  More information on the Scheduling Privilege for Zoom meetings is available here.

    Zoom has additional recommendations on its privacy and security page and best practices for securing your virtual classroom. 

    Note: Some recommendations on Zoom’s page may not apply to you; we have attempted to extract top 10 tips that apply to UC Davis in FAQ#1.   (For example, Zoom recommends restricting meeting participants to those who are logged into Zoom or those in your domain (e.g. UC Davis email addresses).   However, this feature (restricting meeting participants to UC Davis emails) may not work for all undergraduate teaching Zoom users.

  • 2.  What is Zoombombing?
  • Zoom sessions that are not password protected can be hijacked by invited individuals or joined by uninvited individual(s).  Zoombombing, a type of cyberattack, is where an individual(s) would enter a Zoom meeting and broadcast obscenities or take control of the screen. 

  • 3.  What do I do if I have been Zoombombed?
  •  Call the IT Express Desk at 530-754-HELP who can put you in touch with your Unit IT Lead or contact your Unit IT lead.  See here for a list of Unit IT leads.  

    Use the Zoom “Security” icon found on the toolbar to stop access:

    - Lock the meeting
    - Enable the Waiting Room (even if it’s not already enabled)
    - Restrict participants’ ability to:
          -  Share their screens
          - Chat in a meetin
          - Rename themselves
          - Unmute themselves
    img

    Use the “Participant” icon to further restrict access: 
    - Disable or Stop Video
    - Mute participants (disable allow participants to unmute themselves)
    - Remove participants

    Once you contact IT staff, they will notify other appropriate campus authorities including the Campus Information Security Office, cybersecurity@ucdavis.edu, and the Campus Privacy Office, privacy@ucdavis.edu.  The Campus Information Security Office and Campus Privacy Office may engage the UC Davis Police Department accordingly. Zoombombing is considered a cybercrime, and UC Davis Police may report the incident to the FBI.   

  • 4.  How do I protect against Zoombombing and what are the important features I need to be aware of?
  • To reduce the risk of Zoombombing, follow these tips recommended by the FBI:

    -  Do not make meetings or classrooms public.
    In Zoom, there are two options to make a meeting private: require a meeting password and/or use the waiting room feature and control the admittance of guests.
    -  Do not share a Zoom link on a social media post or other public website. Provide the link directly to specific people.
    -   Manage Zoom screen-sharing options by disabling participant screen-sharing or changing screen-sharing to “Host Only.” [May 4, 2020 update to this tip:  Zoom recently updated the default screen-sharing settings for education users. Sharing privileges are now set to “Host Only,” so instructors by default are the only ones who can share content in class. Update your Zoom app to ensure you have access to the latest fixes.]

    Additional tips from the campus include:

    -   Participants have the ability to invite other users once they are in a meeting. To prevent participants from inviting other users during a meeting, the host can turn on the Waiting Room or lock the meeting to prevent anyone else from joining. 
     

    img
  • 5.  What are new Zoom privacy enhancements, communications, or guidance that instructors need to be aware of? 
  • This section describes recent changes to Zoom’s privacy policy, enhanced privacy features added to Zoom in May and June 2020, and “other updates,” including recent communications/webinars from Zoom on privacy.

    On June 2, 2020, Zoom released Version 5.05, which they tout as enhancements to privacy features: 

    -  Zoom updated “channel” features.  A Zoom channel can help with your Zoom teaching by creating a “chat room” or virtual bulletin board that all class members (including the instructors) have access to outside of normal class hours.   Click here for how to create a “class channel.”  

    Zoom has now updated privacy controls for a channel.  You can now view your privacy controls, control who can view past channel chats, and control whether the channel is private or public, as displayed in the below graphic. 
     

    img

     

    -  Enabling public channel admins and members to add external users to their public channel. Guidance on creating and using channels group messaging is available here

    On May 10 and 17, 2020, Zoom released new enhancements to existing privacy features such as:

    -  Require two-way consent for a participant to be muted:  1) the host has to enable the unmute function and 2) the participant also has control over whether they can be unmuted.

    -  Personal information, such as email address, personal meeting ID and phone number, will be partially masked with asterisks (*). Full details will only be shown when the user explicitly clicks on the “show” option. 

    Zoom’s Privacy Policy    

    Zoom’s current Privacy Policy (revised March 29, 2020) commits to never selling customer information and to not using customer data stored on the Zoom app for advertising. 

    Zoom collects a user’s technical data elements such as OS type and version, IP addresses, device type, and city-level location data to understand how the Service is used, diagnose technical issues, and conduct analytics.  

    Although Zoom’s Privacy Policy describes how, the extent to which data is used, and collected, it has recently been criticized as needing to be more specific.   Zoom has recently changed the privacy policy to remove “legalese” and has reached agreement with the authorities (the New York Attorney General’s Office) who originally filed a complaint on the privacy policy.

    In that spirit, Zoom’s privacy officials recently met with UC privacy officers and verbally advised that Zoom does not share session content with any third parties, with the sole exception of recordings stored in a Zoom cloud.  Zoom cloud recordings are stored under contract with Amazon Web Services (AWS). 

    Zoom’s Privacy Policy also states that Zoom “collects only the user data that is required to provide you Zoom services.”  In Zoom’s recent call with UC privacy officers, Zoom’s privacy official further advised that this data includes (but may not be limited to) location, device, IP address, operating system type, Zoom version, connection time.  

     Zoom has posted a list of certain third parties, engaged by Zoom, who may have access to such data to assist Zoom in delivering the service.  Note that additional clarification in this area has been requested of Zoom.  The UC Davis Privacy Office and Information Security Office will continue to monitor Zoom’s privacy policy clarifications and update this FAQ accordingly.

    Other updates.    

    Zoom has provided guidance regarding data subject access requests at zoom.us/gdpr.

    Zoom has a legal obligation to investigate any complaints received by Zoom that indicate child exploitation. 

    On April 20, 2020, Zoom gave a webinar to members of the higher education community that addressed data security and privacy concerns.  Additional information is available at here.

    Zoom has also provided additional guidance to education community on April 24, 2020 through a blog post available here.

    Zoom continues to provide progress updates on its 90-day privacy and security plan.  The updates are available on Zoom’s May 27, 2020 blog.

  • 6.  In terms of Privacy and Security, is it better to use the web app as opposed of downloading and using the Zoom app?
  • Zoom’s Chief Privacy Officer claims that there is no difference in privacy/security levels between using the web application versus using a downloaded application.  The sole difference described by Zoom’s Chief Privacy Officer is that the user has to manually download the latest version, whereas the web application automatically updates. If you are using the desktop client, you should regularly check and install the latest Zoom updates.  Guidance on how to update your Zoom app is available here.

  • 7.  What can I recommend to my students to protect their privacy?
  • If students have privacy concerns, permit students to seek approval for an alternative arrangement.  Sample alternative arrangements include: 

    -   Audio-only participation as an alternative to video;
    -   Using a virtual background (this feature is not available for all Zoom instances and may cause video quality issues).   More Zoom info is here.
    -   Allowing a student to not use their photo;
    -   Allowing a student to use an alternative to their full name, such as the student’s initials, the student’s first name, or last name only.  

    All alternative arrangements should be approved by the instructor in advance and should still allow the instructor to readily identify the student.  For privacy, the student need not divulge the reason for the request (e.g., I’m a sexual harassment victim, etc.).

  • 8.  How can student privacy be protected when proctoring an exam in Zoom?
  • The campus has three digital proctoring technologies available, Zoom, Examity, and Respondus.  For more information on privacy considerations, please see remote proctoring and privacy guidance on the campus privacy page.

  • 9.  What are my Zoom default settings?
  • Each UC Davis unit has discretion to define its default Zoom settings. We have recommended certain default security and privacy settings to Zoom unit administrators.   For security reasons, those settings are not publicly posted. For more information on our recommended default settings, contact cybersecurity@ucdavis.edu.

  • 10.  Can instructors be liable for privacy violations on Zoom?  
  • Instructors are not liable for Zoom flaws.  As long as you are using Zoom as recommended by the campus, not posting your lectures on a publicly accessible website, and students are adequately advised of privacy-protective alternatives, we do not see any reasonable basis for instructor liability.

  • 11.  Are Zoom meeting sessions encrypted?  
  • On April 27, 2020, Zoom upgraded their encryption method (for the curious, it is being upgraded to AES-256 GCM) with increased protection of your meeting data in transit, resistance against tampering, and improved confidentiality assurances for Zoom sessions.  Stronger audio/video stream encryption is included in Zoom 5.0.

    All faculty, students and staff must have upgraded to Zoom version 5.0 or above by May 30, 2020 in order for the new encryption standard to work.  For details, see the Zoom 5.0 website. Guidance on how to update your Zoom app is available here.

  • 12.  Are there privacy concerns with the release of recorded lectures, recording of lectures or meetings, and how long may I retain my course’s recordings?   
  • Release of recorded lectures:

    Yes, we encourage faculty to avoid the “publish” link on Zoom.  This link is shareable and could be re-posted on a public website.  Instead, faculty are encouraged to use Aggie Video to store video recordings, and share lectures with students (see How to save a Zoom Cloud recording to Aggie Video and embed into Canvas), which allows sharing to be limited to UC Davis.  

    The Campus Information Security Office has evaluated the security controls around videos uploaded in Canvas as files and determined that Canvas does not have sufficient controls to ensure security and privacy of information in the video recording. When you upload a video recording to Canvas and a student downloads it, you have no control on what the student can do with the video. Aggie Video gives the instructor more controls on what the student can do with the video.  Other tips on maintaining the security of recorded sessions is available at this link as well. 

    Additionally, to protect the privacy of your students and the security of your lectures, check that your Zoom instance administrator has programmed the pop-up notice.  The notice should advise all participants of the recording and of recording rules, rights, and restrictions.  

    Below is a sample video recording disclosure message: 

     “This session and any personal information you share during the session will be recorded.  Participants are prohibited from electronically capturing or re-disclosing session information.  Participants may opt-out of being personally identified only with advance host/instructor approval.”

    Recording lectures and meetings:

    Prior to recording a lecture, please also notify students in advance that sessions will be recorded and that students may opt for privacy-protective alternatives, with instructor approval (see FAQ#7). 

    Campus Zoom accounts do not have the security levels to store personal health information, therefore any meetings that contain this information should not be recorded.

    Retention of course recordings:

    Recordings should be deleted once they are no longer needed for their educational purpose.  Your Zoom administrator can set “automatic deletion” settings for all recordings after a certain number of days.  Some units have established 100 days as the automatic deletion period, with a reminder of 7 days before the automatic deletion and a 30-day safety valve for instructors who forget after the 100 days and want to retrieve their lectures.

    Your Zoom administrator will have access to all cloud recordings associated with your account, however, they must follow the UC Davis Policy and Procedure Manual Section 310-24, Electronic Communications—Privacy and Access to access those recordings.  This process requires requesting consent from the holder of that recording (you, the faculty member); or, requesting approval from the campus privacy officer and appropriate campus leadership, if the holder declines to give consent.

  • 13.  Can I use Zoom to provide accommodations and ensure privacy to students with disabilities?
  • Yes, you can, by creating Zoom break out rooms. More information is available here.

  • 14.  How do I protect my faculty Intellectual Property (IP) rights with Zoom lectures?  What if lectures have been made available to students then shared with others?  
  • Students should be advised that lectures must not be shared with anyone outside the classroom.  Inappropriate sharing may be subject to discipline pursuant to the university’s student misconduct policies.  For more information on protecting your IP rights, please see the following guidance on protecting an instructor’s IP rights

    As one precaution, instructors can disallow viewers from downloading video files to their own computers by turning off the “Viewers can download” option in the sharing settings for recordings stored on Zoom. With this option disabled, viewers can only view the video in a web browser and not download the actual video files. This makes it harder for viewers to intentionally or accidentally re-share videos. 

    More information on the sharing options for Zoom recordings is available here.

  • 15.  Are student privacy or FERPA guidelines relaxed during the pandemic? Is Zoom in compliance with FERPA guidelines and what concerns have been raised?
  • The Department of Education issued COVID-specific FERPA guidance, advising that the FERPA Health & Safety Emergency Exception may be used to respond to COVID-19 pandemic safety needs.

    The Department of Education has also reissued Remote Learning Guidance.

    Zoom claims compliance with FERPA guidelines. For more information, see Zoom’s FERPA Compliance Guide. There are FERPA concerns that have been raised such as Zoom generates attendee reports for the instructor that list a student’s mobile telephone number as well as their email address. FERPA allows a student’s mobile phone number and email address to be communicated to an instructor, provided the instructor does not further disclose that information and limits the use of that information for the student’s legitimate educational interest. 

    Zoom also allows individual users or administrators to mask phone numbers.

  • 16.  Will a participant’s “private” text chats during a Zoom call ever be made visible to the host or others?
  • On April 14, 2020, Zoom’s Privacy Officer advised UC privacy officers via telephone that private text chats are never made visible to anyone except to those whom they are addressed.  In May 2020, UC privacy officers requested a second time that this advice be provided in writing on a Zoom FAQ and have not yet received a response from Zoom.  This answer will be updated when we become aware of any new published guidance.

    Please be aware that for all non-private text chats, any participant may save that chat as a file on their computer.  Additionally, private text chats may also be saved (as a file) by the intended recipient(s) of that text chat.  

  • 17.  Has the campus assessed Zoom’s security and privacy?  
  • The UC Davis Information Security Office Vendor Risk Assessment team has reviewed Zoom, including its third-party attestations regarding security. The team completed a formal risk assessment report for the campus Chief Information Security Officer and Chief Information Officer.  If you have questions about Zoom and the results of this assessment, please contact cybersecurity@ucdavis.edu.

    The UC Davis Privacy Office also reviewed Zoom as a part of that vendor risk assessment and found that third-party privacy review needed updating.  UC Davis has requested an updated report.

    Alternatively, the campus IET department is currently considering other alternative solutions to Zoom.  For questions or if you have a product for consideration, contact IT Express Desk at 530-754-HELP.

  • 18.  I have other more general questions on how to use Zoom.  Who can help or where can I find additional resources?
  • The Zoom section of the Keep Teaching website should be your first stop.

    The IT Knowledge Base websites also have resources and helpful articles:

    -   Zoom guide for faculty
    -   Zoom guide for staff
    -   Zoom guide for students

  • 19.  What are past privacy and security issues that Zoom has resolved? 
  • This information is available here.

  • 20.  These FAQs didn’t address my concern. Who should I contact for help or to request an update to these FAQs and how do I identify the weekly changes made to them?
  • If you are aware of other Zoom security and privacy issues, please contact the UC Davis Privacy Office at privacy@ucdavis.edu and the Information Security Office at cybersecurity@ucdavis.edu.  Or, contact your Unit IT Administrator for additional information available here.  (If you are a UC Davis Health student, faculty, or staff member, please visit this website for Zoom information.) 

    Help us improve this campus resource as we are continually updating these FAQs and working on solutions to emerging issues.

    See below for a summary of the changes made to the FAQs on a bi-weekly basis. Note that these updates will sunset at the end of June. See the Zoom Blog for the latest update on their 90-Day Security Plan Progress. 
     

    Changes made to this Version 7 published for the week of 06/26/2020.

    New FAQ added:

    -   #6: In terms of Privacy and Security, is it better to use the web app as opposed to downloading and using the Zoom app?

    Updated FAQs:

    -   #1: updated to reflect the most current version of Zoom.  Version 5.0.5 was released on June 2, 2020; consolidated FAQ#15 with this FAQ #1.
    -   #5: What do I do if I have been Zoombombed moved to FAQ#3.
    -   #4: added a tip on how to prevent participants from inviting other users during a meeting.
    -   #5: updated to include new Zoom privacy features in version 5.0.5 released on June 2; adds guidance regarding data subject access requests and Zoom legal obligation to investigate any complaints received that indicate child exploitation; consolidated FAQ#18 with this FAQ #4.  
    -   #8: updated to include Respondus as a digital technology now available for proctoring exams.
    -   #12: updated to include that campus Zoom accounts do not have the security levels to store personal health info and meetings with this info should not be recorded; recordings should be deleted once they are no longer needed for their educational purpose; campus Zoom IT administrators can access all cloud recordings associated with your faculty account but must seek your consent or follow Policy and Procedure Manual Section 310-14 before accessing; incorporates FAQ#13 into this FAQ#12.  

    Changes made to this Version 6 published for the week of 5/26/2020.

    The Zoom Privacy Update Team supporting Minming Wu Morri, the Campus Privacy Officer are Maria Eynon, Campus Policy Coordinator, and Jesse Avina, OCP Tech & Com Specialist.  The Zoom Security Update Team supporting the Information Security Officer is Jackson Muhirwe, Deputy Chief Information Security Officer.   Additional support was provided by Bill Buchanan and Tobi Patton from IET.  Many thanks to the Team for their work in keeping abreast of latest updates and developing these recommendations.    

    New FAQ added:

    -   #4: What are new Zoom privacy enhancements that instructors need to be aware of?

    Updated FAQs:

    -   #1: Updated to include information on the most current version which is 5.0.3 and to advise that by May 30, 2020, all users are required to update to Zoom 5.0 or above to join meetings.
    -   #5: Described new privacy features from most current Zoom version such as restricting participants ability to rename or unmute themselves. A screenshot of the security and participant menu was added and the toolbar screenshot was updated.
    -   #10: Updated to include that all faculty, students and staff must upgrade to Zoom version 5.0 or above by May 30, 2020 in order for the new encryption standard to work.  Guidance and links to Zoom 5.0 website added.
     

    Changes made to this week’s Version 5 published for the week of 5/11/2020.

    New FAQ added:

    -   #6: How can student privacy be protected when proctoring an exam in Zoom?
    -   #11: Can I use Zoom to provide accommodations and ensure privacy to students with Disabilities?
    -   #20: What are past privacy and security issues that Zoom has resolved?

    Updated FAQs:

    -   #1: Included item 11 Other security and privacy tips regarding requiring meeting registration for large meetings with guidance.  Incorporated Zoom additional recommendations and best practices link and information previously in #3.
    -   #4: Included a screen shot of the Zoom tool bar for clarity.
    -   #10: Updated information and guidance related to security controls around videos uploaded in Canvas.
    -   #14: Incorporates another FERPA related question (Zoom generates attendee reports for the instructor. Reports list a student’s mobile telephone number as well as their email address.  Is this allowed under FERPA? Adds Zoom stance on FERPA compliance. Is Zoom in compliance with FERPA guidelines and what concerns have been raised?
    -   #17: Clarified that alternate solutions to Zoom are being considered and that suggestions or questions should be directed to IT Express Desk.

    -   #21 & 22: Consolidated weekly changes made to FAQs into #21.

    Converted reference to URLs to links.

    Archived FAQs into FAQ#20 with a link to additional information provided: What are past privacy and security issues that Zoom has resolved?

    -   #8: Are the privacy concerns with Zoom and Facebook relevant to the campus?
    -   #14: Are there privacy concerns with the Zoom Attention Tracker feature?

    Changes made to Version 4 published 5/6/2020

    Key Change:  Zoom released a new version of Zoom (version 5.0) last week.  This week’s FAQ updates tips based on new features and security/privacy protections of version 5.0.   Please ensure that your Zoom version is updated.  See FAQ #1 on how to update or see which Zoom version you are using. 

    New FAQ added:

    -   #14: How can I keep my Zoom meeting information confidential if I have designated an individual to schedule meetings for me?
    -   #23: How do I identify the weekly changes made to these FAQs?

    Updated FAQs: 

    -   #3: Modified the below tip, to reflect Zoom’s revised default settings:

    How do I prevent Zoombombing?

    Tip: “Manage Zoom screen-sharing options by disabling participant screen-sharing or changing screen-sharing to “Host Only.” [May 4th update to this tip:  Zoom recently updated the default screen-sharing settings for education users. Sharing privileges are now set to “Host Only,” so instructors by default are the only ones who can share content in class. Update your Zoom app to ensure you have access to the latest fixes.]

    -   #4: Updates tips based on Zoom’s version 5.0 release.   New features
    -   #9: Updated to reflect latest encryption method released in Zoom version.