Previous Zoom FAQ Published on 4/27/2020

Answers to FAQs

  1. What are the top 10 things that I can do to ensure security and privacy of my Zoom sessions?
    1. Use the most current version of Zoom (see How do I update my Zoom application)
    2. Do not post Zoom links or invites on social media including public websites (see How to Secure the Zoom Meeting Information section 2.7);
    3. Use a unique ID for each meeting instead of using your Personal Meeting ID (PMI; see How to Control who can join your meeting, section 2.2);
    4. Utilize meeting passwords (see How to Control who can join your meeting, section 2.1);
    5. Avoid recording; if you must record, password-protect the recording and rename the saved recording (see How do I secure my Zoom Recording);
    6. Turn off embed password in meeting link (if applicable). This will force users to type in a password rather than have one click access) see How to Disable Embed password in meeting link, section 2.5;
    7. Enable Waiting Rooms and have the host allow users in one by one, or all at the same time, once all attendees have been verified (see How to Use a Waiting Room, section 2.6);
    8. Lock meetings once all participants have joined, if applicable (see How to Secure the Zoom Meeting Information, section 2.7);
    9. Disable file transfer settings (during zoom meetings; not necessary in basic chat) see How to Control what participants can do in your meeting, section 3.4;
    10. Contact your campus unit IT resource for support.  Each College at UC Davis has a Zoom instance administrator.  See  here for the email for your Zoom administrator.
  2. What is Zoombombing?

Zoom sessions that are not password protected can be hijacked by invited individuals or joined by uninvited individual(s).    Zoombombing, a type of cyberattack, is where an individual(s) would enter a Zoom meeting and broadcast obscenities or take control of the screen. 

  1. How do I protect against Zoombombing and what are the top features I need to be aware of?

To reduce the risk of Zoombombing, follow these tips recommended by the FBI:

  • Do not make meetings or classrooms public.
    In Zoom, there are two options to make a meeting private: require a meeting password and/or use the waiting room feature and control the admittance of guests.
  • Do not share a Zoom link on a social media post or other public website. Provide the link directly to specific people.
  • Manage Zoom screen-sharing options by disabling participant screen-sharing or changing screen-sharing to “Host Only.”
  • Update your Zoom app to ensure you have access to the latest fixes

Zoom has additional recommendations on its privacy and security page and best practices for securing your virtual classroom

Note: Some recommendations on Zoom’s page may not apply to you.  For example, Zoom recommends restricting meeting participants to those who are logged into Zoom or those in your domain (e.g. UC Davis email addresses).   However, this feature (restricting meeting participants to UC Davis emails) may not work for all undergraduate teaching Zoom users. 

  1. What do I do if I have been Zoombombed?

Call the IT Express Desk at 530-754-HELP who can put you in touch with your Unit IT Lead or contact your Unit IT lead.  See here for a list of Unit IT leads.

Use the Zoom toolbar security options:

  • Disable Video
  • Mute participants
  • Turn off file transfer
  • Turn off annotation
  • Control recording
  • End the meeting
  • Remove participants

Once you contact IT staff, they will notify other appropriate campus authorities including the Campus Information Security Office, cybersecurity@ucdavis.edu, and the Campus Privacy Office, privacy@ucdavis.edu.  The Campus Information Security Office and Campus Privacy Office may engage the UC Davis Police Department accordingly. Zoombombing is considered a cybercrime, and UC Davis Police may report the incident to the FBI. 

  1. What can I recommend to my students to protect their privacy?

If students have privacy concerns, permit students to seek approval for an alternative arrangement.  Sample alternative arrangements include: 

  • Audio-only participation as an alternative to video;
  • Using a virtual background (this feature is not available for all Zoom instances and may cause video quality issues).   More Zoom info is here.
  • Allowing a student to not use their photo;
  • Allowing a student to use an alternative to their full name, such as the student’s initials, the student’s first name or last name only.  

All alternative arrangements should be approved by the instructor in advance and should still allow the instructor to readily identify the student.  For privacy, the student need not divulge the reason for the request (i.e. I’m a sexual harassment victim, etc.).

  1. What are my Zoom default settings?

Each UC Davis unit has discretion to define its default Zoom settings. We have recommended certain default security and privacy settings to Zoom unit administrator.   For security reasons, those settings are not publicly posted. For more information on our recommended default settings, contact cybersecurity@ucdavis.edu and privacy@ucdavis.edu.

  1. Can instructors be liable for privacy violations on Zoom? 

Instructors are not liable for Zoom flaws.  As long as you are using Zoom as recommended by the campus, not posting your lectures on a publicly accessible website, and students are adequately advised of privacy-protective alternatives, we do not see any reasonable basis for instructor liability.

  1. Are the privacy concerns with Zoom and Facebook relevant to the campus?

The recent privacy concerns were limited to the Zoom iOS app.  Therefore, the issue impacted only individuals who use Zoom on an iOS/Apple device.  Zoom has since stated that that code was fixed and that there is no longer sharing with Facebook.  If you use Zoom on an Apple device, please make sure your Zoom version is updated.  The most recent version of Zoom is available at https://support.zoom.us/hc/en-us/articles/201362233-Where-Do-I-Download-The-Latest-Version-

  1. Are Zoom meeting sessions encrypted?

On April 22, 2020, Zoom announced plans to upgrade their encryption method (for the curious, it is being upgraded to AEC-256 GCM) with increased protection of your meeting data in transit, resistance against tampering, and improved confidentiality assurances for Zoom sessions.  Stronger audio/video stream encryption will be included in Zoom 5.0, which is slated for release within the week.  For details, see the Zoom media advisory at https://blog.zoom.us/wordpress/2020/04/22/zoom-hits-milestone-on-90-day-security-plan-releases-zoom-5-0/.

  1. Are there any privacy concerns with the release of recorded lectures?    

Yes, we encourage faculty to avoid the “publish” link on Zoom.  This link is shareable and could be re-posted on a public website.  Instead, faculty are encouraged to use Aggie Video to store video recordings, and share lectures with students (see http://kb.ucdavis.edu/?id=5760), which allows sharing to be limited to UC Davis.

We are currently evaluating whether storing videos in Canvas have the same privacy and security safeguards as Aggie Video. Other tips on maintaining the security of recorded sessions is available at this link as well.

Additionally, to protect the privacy of your students and the security of your lectures, check that your Zoom instance administrator has programmed the pop-up notice.  The notice should advise all participants of the recording and of recording rules, rights, and restrictions.

Below is a sample video recording disclosure message:

 “This session and any personal information you share during the session will be recorded.  Participants are prohibited from electronically capturing or re-disclosing session information.  Participants may opt-out of being personally identified only with advance host/instructor approval.”

Prior to recording a lecture, please also notify students in advance of privacy-protective alternatives (see FAQ 5). 

  1. How long may I retain my course’s recordings?

Recordings should be deleted once they are no longer needed for their educational purpose.  Your Zoom administrator can set “automatic deletion” settings for all recordings after a certain number of days.  Some units have established 100 days as the automatic deletion period, with a reminder of 7 days before the automatic deletion and a 30-day safety valve for instructors who forget after the 100 days and want to retrieve their lectures.

  1. How do I protect my faculty Intellectual Property (IP) rights with Zoom lectures?  What if lectures have been made available to students then shared with others?

Students should be advised that lectures must not be shared with anyone outside the classroom.  Inappropriate sharing may be subject to discipline pursuant to the university’s student misconduct policies.  For more information on protecting your IP rights, please see the following guidance on protecting an instructor’s IP rights:

https://www.library.ucdavis.edu/service/scholarly-communications/instructor-copyright/

As one precaution, instructors can disallow viewers from downloading video files to their own computers by turning off the “Viewers can download” option in the sharing settings for recordings stored on Zoom. With this option disabled, viewers can only view the video in a web browser and not download the actual video files. This makes it harder for viewers to intentionally or accidentally re-share videos.

More information on the sharing options for Zoom recordings is available here.

  1. Zoom generates attendee reports for the instructor.  Reports list a student’s mobile telephone number as well as their email address.  Is this allowed under the Family Educational Rights and Privacy Act (FERPA)?  

    FERPA allows a student’s mobile phone number and email address to be communicated to an instructor, provided the instructor does not further disclose that information and limits the use of that information for the student’s legitimate educational interest. 

Zoom also allows individual users or administrators to mask phone numbers.

  1. Are there privacy concerns with the Zoom Attention Tracker feature

Due to privacy concerns, this feature was permanently removed by Zoom on April 2, 2020. See https://support.zoom.us/hc/en-us/articles/115000538083-Attendee-attention-tracking.

  1. Are student privacy or FERPA guidelines relaxed during the pandemic?

The Department of Education issued COVID-specific FERPA guidance, advising that the FERPA Health & Safety Emergency Exception may be used to respond to COVID-19 pandemic safety needs:  See https://studentprivacy.ed.gov/sites/default/files/resource_document/file/FERPA%20and%20Coronavirus%20Frequently%20Asked%20Questions.pdf.

The Department of Education also reissued Remote Learning Guidance at   https://studentprivacy.ed.gov/sites/default/files/resource_document/file/FERPA%20%20Virtual%20Learning%20032020_FINAL.pdf.

  1. What information does Zoom collect?  What are Zoom’s Privacy Policy protections?

    Zoom’s current Privacy Policy (https://zoom.us/privacy, revised March 29, 2020) commits to never selling customer information and to not using customer data stored on the Zoom app for advertising. 

Although Zoom’s Privacy Policy describes how and the extent to which data is used and collected, it has recently been criticized as needing to be more specific.   Zoom has acknowledged these criticisms and committed to changes and a more detailed policy in the coming months.  

In that spirit, Zoom’s privacy officials recently met with UC privacy officers and verbally advised that Zoom does not share session content with any third parties, with the sole exception of recordings stored in a Zoom cloud.  Zoom cloud recordings are stored under contract with Amazon Web Services (AWS). 

Zoom’s Privacy Policy also states that Zoom “collects only the user data that is required to provide you Zoom services.”  In Zoom’s recent call with UC privacy officers, Zoom’s privacy official further advised that this data includes (but may not be limited to) location, device, IP address, operating system type, Zoom version, connection time.  

Zoom has posted a list of certain third parties, engaged by Zoom, who may have access to such data to assist Zoom in delivering the service.  Note that additional clarification in this area has been requested of Zoom.  The UC Davis Privacy Office and Information Security Office will continue to monitor Zoom’s privacy policy clarifications and update this FAQ accordingly.

  1. Will a participant’s “private” text chats during a Zoom call ever be made visible to the host or others?

On April 14, 2020, Zoom’s Privacy Officer advised UC privacy officers via telephone that private text chats are never made visible to anyone except to those whom they are addressed.  UC privacy officers have requested that this advice be provided in writing on a Zoom FAQ.  This answer will be updated when we become aware of any new published guidance.

Please be aware that for all non-private text chats, any participant may save that chat as a file on their computer.  Additionally, private text chats may also be saved (as a file) by the intended recipient(s) of that text chat.

  1. Has the campus assessed Zoom’s security and privacy? 

The UC Davis Information Security Office Vendor Risk Assessment team has reviewed Zoom, including its third-party attestations regarding security. The team completed a formal risk assessment report for the campus Chief Information Security Officer and Chief Information Officer.  If you have questions about Zoom and the results of this assessment, please contact cybersecurity@ucdavis.edu.

The UC Davis Privacy Office also reviewed Zoom as a part of that vendor risk assessment and found that third-party privacy review needed updating.  UC Davis has requested an updated report.

  1.  What has Zoom communicated to the higher education community on security and privacy?

On April 20, 2020, Zoom gave a webinar to members of the higher education community detailing the company’s commitment to creating the best and safest Zoom meeting experiences for users and addressed security, privacy, data, and any other concerns gathered by the higher education community.  Additional information is available at https://www.internet2.edu/blogs/detail/17630.

  1. I have other more general questions on how to use Zoom.  Who can help or where can I find additional resources?

The Zoom section of the Keep Teaching website should be your first stop: https://keepteaching.ucdavis.edu/zoom-web-conferencing.

The IT Knowledge Base websites also have resources and helpful articles:

  1. These FAQs didn’t address my concern. Who should I contact for help or to request an update to these FAQs?

If you are aware of other Zoom security and privacy issues, please contact the UC Davis Privacy Office at privacy@ucdavis.edu and the Information Security Office at cybersecurity@ucdavis.edu.  Or, contact your Unit IT Administrator for additional information available here.  (If you are a UC Davis Health student, faculty, or staff member, please visit https://ucdavishealth.zoom.us for Zoom information.)

Help us improve this campus resource as we are continually updating these FAQs and working on solutions to emerging issues.