FAQ on Zoom, Privacy, and Security at UC Davis

These FAQs are intended for faculty and instructors who use Zoom for teaching. See FAQ #22 for non-teaching and UC Davis Health Zoom guidance and resources, as well as the latest changes to the FAQ.

Alert:  Zoom requires update: In order to continue participating in online sessions that use Zoom, you must upgrade to version 5.0 before Saturday, 5/30. Go to this article for information on how to update.

  • 1.  What are the top 10 things that I can do to ensure security and privacy of my Zoom sessions?
  • 1. Use the most current version of Zoom (see How do I update my Zoom application); 
    2. Do not post Zoom links or invites on social media or public websites (see
    How to Secure the Zoom Meeting Information section 2.7);
    3. Use a unique ID for each meeting instead of using your Personal Meeting ID (PMI; see
    How to Control who can join your meeting, section 2.2);
    4. Utilize meeting passwords (see
    How to Control who can join your meeting, section 2.1);
    5. Avoid recording; if you must record, password-protect the recording and rename the saved recording (see
    How do I secure my Zoom Recording);
    6. Turn off embed password in meeting link (if applicable). This will force users to type in a password rather than have one click access.  (see
    How to Disable Embed password in meeting link, section 2.5);
    7. Enable Waiting Rooms and have the host allow users in one by one, or all at the same time, once all attendees have been verified (see
    How to Use a Waiting Room, section 2.6);
    8. Lock meetings once all participants have joined, if applicable (see
    How to Secure the Zoom Meeting Information, section 2.7);
    9. Disable file transfer settings during zoom meetings (see
    How to Control what participants can do in your meeting, section 3.4);
    10. Contact your Zoom instance administrator.  Each College at UC Davis has one administrator.  See
    here for their contact info.

  • 2.  What is Zoombombing?
  • Zoom sessions that are not password protected can be hijacked by invited individuals or joined by uninvited individual(s).   Zoombombing, a type of cyberattack, is where an individual(s) would enter a Zoom meeting and broadcast obscenities or take control of the screen. 

  • 3.  How do I protect against Zoombombing and what are the top features I need to be aware of?
  • To reduce the risk of Zoombombing, follow these tips recommended by the FBI:

    - Do not make meetings or classrooms public.
    In Zoom, there are two options to make a meeting private: require a meeting password and/or use the waiting room feature and control the admittance of guests.
    - Do not share a Zoom link on a social media post or other public website. Provide the link directly to specific people.
    - Manage Zoom screen-sharing options by disabling participant screen-sharing or changing screen-sharing to “Host Only.” [May 4, 2020 update to this tip:  Zoom recently updated the default screen-sharing settings
    for education users. Sharing privileges are now set to “Host Only,” so instructors by default are the only ones who can share content in class. Update your Zoom app to ensure you have access to the latest fixes.]

  • 4.  What do I do if I have been Zoombombed?
  • Call the IT Express Desk at 530-754-HELP who can put you in touch with your Unit IT Lead or contact your Unit IT lead.  See here for a list of Unit IT leads.  

    Use the Zoom “Security” icon found on the toolbar to stop access:

    - Lock the meeting
    - Enable the Waiting Room (even if it’s not already enabled)
    - Restrict participants’ ability to:
          -  Share their screens
          - Chat in a meeting
    img

    Use the “Participant” icon to further restrict access: 

    - Disable or Stop Video
    - Mute participants
    - Remove participants

    Once you contact IT staff, they will notify other appropriate campus authorities including the Campus Information Security Office, cybersecurity@ucdavis.edu, and the Campus Privacy Office, privacy@ucdavis.edu.  The Campus Information Security Office and Campus Privacy Office may engage the UC Davis Police Department accordingly. Zoombombing is considered a cybercrime, and UC Davis Police may report the incident to the FBI.   

  • 5.  What can I recommend to my students to protect their privacy?
  • If students have privacy concerns, permit students to seek approval for an alternative arrangement.  Sample alternative arrangements include: 

    - Audio-only participation as an alternative to video;
    - Using a virtual background (this feature is not available for all Zoom instances and may cause video quality issues).   More Zoom info is
    here.
    - Allowing a student to not use their photo;
    - Allowing a student to use an alternative to their full name, such as the student’s initials, the student’s first name, or last name only.  

    All alternative arrangements should be approved by the instructor in advance and should still allow the instructor to readily identify the student.  For privacy, the student need not divulge the reason for the request (e.g., I’m a sexual harassment victim, etc.).

  • 6.  How can student privacy be protected when proctoring an exam in Zoom?
  • The campus has two digital proctoring technologies available, Zoom and Examity, and is considering a third, Respondus.   For more information on privacy considerations, please see remote proctoring and privacy guidance on the campus privacy page to be posted by May 15, 2020.

  • 7.  What are my Zoom default settings? 
  • Each UC Davis unit has discretion to define its default Zoom settings. We have recommended certain default security and privacy settings to Zoom unit administrators.   For security reasons, those settings are not publicly posted. For more information on our recommended default settings, contact cybersecurity@ucdavis.edu and privacy@ucdavis.edu.

  • 8.  Can instructors be liable for privacy violations on Zoom
  • Instructors are not liable for Zoom flaws.  As long as you are using Zoom as recommended by the campus, not posting your lectures on a publicly accessible website, and students are adequately advised of privacy-protective alternatives, we do not see any reasonable basis for instructor liability.

  • 9.  Are Zoom meeting sessions encrypted? 
  • On April 27, 2020, Zoom upgraded their encryption method (for the curious, it is being upgraded to AES-256 GCM) with increased protection of your meeting data in transit, resistance against tampering, and improved confidentiality assurances for Zoom sessions.  Stronger audio/video stream encryption is included in Zoom 5.0. For details, see Zoom 5.0 website.

  • 10.  Are there any privacy concerns with the release of recorded lectures?    
  • Yes, we encourage faculty to avoid the “publish” link on Zoom.  This link is shareable and could be re-posted on a public website.  Instead, faculty are encouraged to use Aggie Video to store video recordings, and share lectures with students (see How to save a Zoom Cloud recording to Aggie Video and embed into Canvas), which allows sharing to be limited to UC Davis.

    The Campus Information Security Office has evaluated the security controls around videos uploaded in Canvas as files and determined that Canvas does not have sufficient controls to ensure security and privacy of information in the video recording. When you upload a video recording to Canvas and a student downloads it, you have no control on what the student can do with the video. Aggie Video gives the instructor more controls on what the student can do with the video. . Other tips on maintaining the security of recorded sessions is available at this link as well.

    Additionally, to protect the privacy of your students and the security of your lectures, check that your Zoom instance administrator has programmed the pop-up notice.  The notice should advise all participants of the recording and of recording rules, rights, and restrictions.

    Below is a sample video recording disclosure message:

     “This session and any personal information you share during the session will be recorded.  Participants are prohibited from electronically capturing or re-disclosing session information.  Participants may opt-out of being personally identified only with advance host/instructor approval.”

    Prior to recording a lecture, please also notify students in advance that sessions will be recorded and that students may opt for privacy-protective alternatives, with instructor approval (see FAQ#5). 

  • 11.  Can I use Zoom to provide accommodations and ensure privacy to students with disabilities?
  • Yes, you can, by creating Zoom break out rooms. More information is available here.

  • 12.  How long may I retain my course’s recordings?
  • Recordings should be deleted once they are no longer needed for their educational purpose.  Your Zoom administrator can set “automatic deletion” settings for all recordings after a certain number of days.  Some units have established 100 days as the automatic deletion period, with a reminder of 7 days before the automatic deletion and a 30-day safety valve for instructors who forget after the 100 days and want to retrieve their lectures.

  • 13.  How do I protect my faculty Intellectual Property (IP) rights with Zoom lectures?  What if lectures have been made available to students then shared with others?  
  • Students should be advised that lectures must not be shared with anyone outside the classroom.  Inappropriate sharing may be subject to discipline pursuant to the university’s student misconduct policies.  For more information on protecting your IP rights, please see the following guidance on protecting an instructor’s IP rights

    As one precaution, instructors can disallow viewers from downloading video files to their own computers by turning off the “Viewers can download” option in the sharing settings for recordings stored on Zoom. With this option disabled, viewers can only view the video in a web browser and not download the actual video files. This makes it harder for viewers to intentionally or accidentally re-share videos. 

    More information on the sharing options for Zoom recordings is available here.

  • 14.  How can I keep my Zoom meeting information confidential if I have designated an individual to schedule meetings for me? 
  • The Scheduling Privilege feature in Zoom allows one individual to be given delegated rights to schedule meetings for another individual.  When the privilege is granted, the delegate can see details of all meetings scheduled under the delegator’s account.  Privacy-protection options include: (1) omit confidential information from the Topic/Description fields, or (2) train and/or notify the delegate of privacy and confidentiality requirements and needs. 

    More information on scheduling privilege for Zoom meetings is available here.

  • 15.  Are student privacy or FERPA guidelines relaxed during the pandemic? Is Zoom in compliance with FERPA guidelines and what concerns have been raised?
  • The Department of Education issued COVID-specific FERPA guidance, advising that the FERPA Health & Safety Emergency Exception may be used to respond to COVID-19 pandemic safety needs.

    The Department of Education has also reissued Remote Learning Guidance.

    Zoom claims compliance with FERPA guidelines. For more information, see Zoom’s FERPA Compliance Guide. There are FERPA concerns that have been raised such as Zoom generates attendee reports for the instructor that list a student’s mobile telephone number as well as their email address. FERPA allows a student’s mobile phone number and email address to be communicated to an instructor, provided the instructor does not further disclose that information and limits the use of that information for the student’s legitimate educational interest. 

    Zoom also allows individual users or administrators to mask phone numbers.

  • 16.  What information does Zoom collect?  What are Zoom’s Privacy Policy protections?
  • Zoom’s current Privacy Policy (revised March 29, 2020) commits to never selling customer information and to not using customer data stored on the Zoom app for advertising. 

    Although Zoom’s Privacy Policy describes how, the extent to which data is used, and collected, it has recently been criticized as needing to be more specific.   Zoom has acknowledged these criticisms and committed to changes and a more detailed policy in the coming months.  

    In that spirit, Zoom’s privacy officials recently met with UC privacy officers and verbally advised that Zoom does not share session content with any third parties, with the sole exception of recordings stored in a Zoom cloud.  Zoom cloud recordings are stored under contract with Amazon Web Services (AWS).   

    Zoom’s Privacy Policy also states that Zoom “collects only the user data that is required to provide you Zoom services.”  In Zoom’s recent call with UC privacy officers, Zoom’s privacy official further advised that this data includes (but may not be limited to) location, device, IP address, operating system type, Zoom version, connection time.  

    Zoom has posted a list of certain third parties, engaged by Zoom, who may have access to such data to assist Zoom in delivering the service.  Note that additional clarification in this area has been requested of Zoom.  The UC Davis Privacy Office and Information Security Office will continue to monitor Zoom’s privacy policy clarifications and update this FAQ accordingly.

  • 17.  Will a participant’s “private” text chats during a Zoom call ever be made visible to the host or others?
  • On April 14, 2020, Zoom’s Privacy Officer advised UC privacy officers via telephone that private text chats are never made visible to anyone except to those whom they are addressed.  UC privacy officers have requested that this advice be provided in writing on a Zoom FAQ.  This answer will be updated when we become aware of any new published guidance.

    Please be aware that for all non-private text chats, any participant may save that chat as a file on their computer.  Additionally, private text chats may also be saved (as a file) by the intended recipient(s) of that text chat.  

  • 18.  Has the campus assessed Zoom’s security and privacy?  
  • The UC Davis Information Security Office Vendor Risk Assessment team has reviewed Zoom, including its third-party attestations regarding security. The team completed a formal risk assessment report for the campus Chief Information Security Officer and Chief Information Officer.  If you have questions about Zoom and the results of this assessment, please contact cybersecurity@ucdavis.edu.

    The UC Davis Privacy Office also reviewed Zoom as a part of that vendor risk assessment and found that third-party privacy review needed updating.  UC Davis has requested an updated report.

    Alternatively, we are currently considering other alternative solutions to Zoom.  For questions or if you have a product for consideration, contact IT Express Desk at 530-754-HELP.

  • 19.  What has Zoom communicated to the higher education community on security and privacy?   
  • On April 20, 2020, Zoom gave a webinar to members of the higher education community detailing the company’s commitment to creating the best and safest Zoom meeting experiences for users and addressed security, privacy, data, and any other concerns gathered by the higher education community.  Additional information is available at here.

    Zoom has also provided additional guidance to education community through a blog post available here

  • 20.  I have other more general questions on how to use Zoom.  Who can help or where can I find additional resources?
  • The Zoom section of the Keep Teaching website should be your first stop.

    The IT Knowledge Base websites also have resources and helpful articles:

    Zoom guide for faculty
    - Zoom guide for staff
    - Zoom guide for students

  • 21.  What are past privacy and security issues that Zoom has resolved?
  • This information is available here.

  • 22.  These FAQs didn’t address my concern. Who should I contact for help or to request an update to these FAQs and how do I identify the weekly changes made to them?
  • If you are aware of other Zoom security and privacy issues, please contact the UC Davis Privacy Office at privacy@ucdavis.edu and the Information Security Office at cybersecurity@ucdavis.edu.  Or, contact your Unit IT Administrator for additional information available here.  (If you are a UC Davis Health student, faculty, or staff member, please visit this website for Zoom information.) 

    Help us improve this campus resource as we are continually updating these FAQs and working on solutions to emerging issues.

    See below for a summary of the changes made to the FAQs each week. Going forward these FAQs will be updated on a bi-weekly basis.

    Changes made to this week’s Version 5 published for the week of 5/11/2020.

    New FAQ added:

    - #6: How can student privacy be protected when proctoring an exam in Zoom?
    - #11: Can I use Zoom to provide accommodations and ensure privacy to students with Disabilities?
    - #20: What are past privacy and security issues that Zoom has resolved?

     

    Updated FAQs:

    - #1: Included item 11 Other security and privacy tips regarding requiring meeting registration for large meetings with guidance.  Incorporated Zoom additional recommendations and best practices link and information previously in #3.
    - #4: Included a screen shot of the Zoom tool bar for clarity.
    - #10: Updated information and guidance related to security controls around videos uploaded in Canvas.
    - #14: Incorporates another FERPA related question (Zoom generates attendee reports for the instructor. Reports list a student’s mobile telephone number as well as their email address.  Is this allowed under FERPA? Adds Zoom stance on FERPA compliance. Is Zoom in compliance with FERPA guidelines and what concerns have been raised?
    - #17: Clarified that alternate solutions to Zoom are being considered and that suggestions or questions should be directed to IT Express Desk.
    - #21 & 22: Consolidated weekly changes made to FAQs into #21.

    Converted reference to URLs to links.

    Archived FAQs into FAQ#20 with a link to additional information provided: What are past privacy and security issues that Zoom has resolved?:

    - #8: Are the privacy concerns with Zoom and Facebook relevant to the campus?
    - #14: Are there privacy concerns with the Zoom Attention Tracker feature?

    Changes made to Version 4 published 5/6/2020

    Key Change:  Zoom released a new version of Zoom (version 5.0) last week.  This week’s FAQ updates tips based on new features and security/privacy protections of version 5.0.   Please ensure that your Zoom version is updated.  See FAQ #1 on how to update or see which Zoom version you are using. 

    New FAQ added:

    - #14: How can I keep my Zoom meeting information confidential if I have designated an individual to schedule meetings for me?
    - #23: How do I identify the weekly changes made to these FAQs?

    Updated FAQs:

    - #3: Modified the below tip, to reflect Zoom’s revised default settings:

    How do I prevent Zoombombing?

    Tip: “Manage Zoom screen-sharing options by disabling participant screen-sharing or changing screen-sharing to “Host Only.” [May 4th update to this tip:  Zoom recently updated the default screen-sharing settings for education users. Sharing privileges are now set to “Host Only,” so instructors by default are the only ones who can share content in class. Update your Zoom app to ensure you have access to the latest fixes.]

    - #4: Updates tips based on Zoom’s version 5.0 release.   New features
    - #9: Updated to reflect latest encryption method released in Zoom version.