Frequently Asked Questions

•  What are the top 10 things that I can do to ensure security and privacy of my Zoom sessions?

• 1.  Use the most current version of Zoom (see How do I update my Zoom application).  It is important to manually update, as your Zoom app may not automatically update; as of June 2, 2020, the most current version is 5.0.5. Note: On May 30, 2020, all users were required to be on Zoom 5.0 or above to join meetings (More information from Campus IET is available here).
  2.  Do not post Zoom links or invites on social media or public websites (see How to Secure the Zoom Meeting Information section 2.7);
  3.  Use a unique ID for each meeting instead of using your Personal Meeting ID or PMI (see How to Control who can join your meeting, section 2.2);
  4.  Use meeting passwords (see How to Control who can join your meeting, section 2.1);
  5.  Avoid recording; if you must record, password-protect the recording and rename the saved recording (see How do I secure my Zoom Recording);
  6.  Turn off embed password in meeting link (if applicable). This will force users to type in a password rather than have one click access.  (see How to Disable Embed password in meeting link, section 2.5);
  7.  Enable Waiting Rooms and have the host allow users in one by one, or all at the same time, once all attendees have been verified (see How to Use a Waiting Room, section 2.6);
  8.  Lock meetings once all participants have joined, if applicable (see How to Secure the Zoom Meeting Information, section 2.7);
  9.  Disable file transfer settings during zoom meetings (see How to Control what participants can do in your meeting, section 3.4);
  10.  Contact your Zoom instance administrator.  Each College at UC Davis has one administrator.  See here for their contact info.
  
  Other security and privacy tips:

  -   Require meeting registration for large meetings, or non-instruction sessions (e.g., webinars) where the audience is not predetermined.  Guidance on how to setup meetings that require registration is available here.
  -   Consider updating your Zoom default settings.  Guidance on recommended default settings is available here.
  -   The Scheduling Privilege feature in Zoom allows one individual to be given delegated rights to schedule meetings for another individual.  When the privilege is granted, the delegate can see details of all meetings scheduled under the delegator’s account.  Privacy-protection options include: (1) omit confidential information from the Topic/Description fields, or (2) train and/or notify the delegate of privacy and confidentiality requirements and needs.  More information on the Scheduling Privilege for Zoom meetings is available here.

  Zoom has additional recommendations on its privacy and security page and best practices for securing your virtual classroom. 

  Note: Some recommendations on Zoom’s page may not apply to you; we have attempted to extract top 10 tips that apply to UC Davis in FAQ#1.   (For example, Zoom recommends restricting meeting participants to those who are logged into Zoom or those in your domain (e.g. UC Davis email addresses).   However, this feature (restricting meeting participants to UC Davis emails) may not work for all undergraduate teaching Zoom users.

• What is Zoombombing?
• Zoom sessions that are not password protected can be hijacked by invited individuals or joined by uninvited individual(s).  Zoombombing, a type of cyberattack, is where an individual(s) would enter a Zoom meeting and broadcast obscenities or take control of the screen. 
• What do I do if I have been Zoombombed?

• Call the IT Express Desk at 530-754-HELP who can put you in touch with your Unit IT Lead or contact your Unit IT lead.  See here for a list of Unit IT leads.  

  Use the Zoom “Security” icon found on the toolbar to stop access:

  - Lock the meeting
  - Enable the Waiting Room (even if it’s not already enabled)
  - Restrict participants’ ability to:
        -  Share their screens
        - Chat in a meetin
        - Rename themselves
        - Unmute themselves
   

  

  Use the “Participant” icon to further restrict access: 
  - Disable or Stop Video
  - Mute participants (disable allow participants to unmute themselves)
  - Remove participants

  Once you contact IT staff, they will notify other appropriate campus authorities including the Campus Information Security Office, cybersecurity@ucdavis.edu, and the Campus Privacy Office, privacy@ucdavis.edu.  The Campus Information Security Office and Campus Privacy Office may engage the UC Davis Police Department accordingly. Zoombombing is considered a cybercrime, and UC Davis Police may report the incident to the FBI.   

• How do I protect against Zoombombing and what are the important features I need to be aware of?

• To reduce the risk of Zoombombing, follow these tips recommended by the FBI:

  -  Do not make meetings or classrooms public.
  In Zoom, there are two options to make a meeting private: require a meeting password and/or use the waiting room feature and control the admittance of guests.
  -  Do not share a Zoom link on a social media post or other public website. Provide the link directly to specific people.
  -   Manage Zoom screen-sharing options by disabling participant screen-sharing or changing screen-sharing to “Host Only.” [May 4, 2020 update to this tip:  Zoom recently updated the default screen-sharing settings for education users. Sharing privileges are now set to “Host Only,” so instructors by default are the only ones who can share content in class. Update your Zoom app to ensure you have access to the latest fixes.]

  Additional tips from the campus include:

  -   Participants have the ability to invite other users once they are in a meeting. To prevent participants from inviting other users during a meeting, the host can turn on the Waiting Room or lock the meeting to prevent anyone else from joining. 
   

  

   

• What are new Zoom privacy enhancements, communications, or guidance that instructors need to be aware of?

• This section describes recent changes to Zoom’s privacy policy, enhanced privacy features added to Zoom in May and June 2020, and “other updates,” including recent communications/webinars from Zoom on privacy.

  On June 2, 2020, Zoom released Version 5.05, which they tout as enhancements to privacy features: 

  -  Zoom updated “channel” features.  A Zoom channel can help with your Zoom teaching by creating a “chat room” or virtual bulletin board that all class members (including the instructors) have access to outside of normal class hours.   Click here for how to create a “class channel.”  

  Zoom has now updated privacy controls for a channel.  You can now view your privacy controls, control who can view past channel chats, and control whether the channel is private or public, as displayed in the below graphic. 
   

  

   

  -  Enabling public channel admins and members to add external users to their public channel. Guidance on creating and using channels group messaging is available here. 

  On May 10 and 17, 2020, Zoom released new enhancements to existing privacy features such as:

  -  Require two-way consent for a participant to be muted:  1) the host has to enable the unmute function and 2) the participant also has control over whether they can be unmuted.

  -  Personal information, such as email address, personal meeting ID and phone number, will be partially masked with asterisks (*). Full details will only be shown when the user explicitly clicks on the “show” option. 

  Zoom’s Privacy Policy    

  Zoom’s current Privacy Policy (revised March 29, 2020) commits to never selling customer information and to not using customer data stored on the Zoom app for advertising. 

  Zoom collects a user’s technical data elements such as OS type and version, IP addresses, device type, and city-level location data to understand how the Service is used, diagnose technical issues, and conduct analytics.  

  Although Zoom’s Privacy Policy describes how, the extent to which data is used, and collected, it has recently been criticized as needing to be more specific.   Zoom has recently changed the privacy policy to remove “legalese” and has reached agreement with the authorities (the New York Attorney General’s Office) who originally filed a complaint on the privacy policy.

  In that spirit, Zoom’s privacy officials recently met with UC privacy officers and verbally advised that Zoom does not share session content with any third parties, with the sole exception of recordings stored in a Zoom cloud.  Zoom cloud recordings are stored under contract with Amazon Web Services (AWS). 

  Zoom’s Privacy Policy also states that Zoom “collects only the user data that is required to provide you Zoom services.”  In Zoom’s recent call with UC privacy officers, Zoom’s privacy official further advised that this data includes (but may not be limited to) location, device, IP address, operating system type, Zoom version, connection time.  

   Zoom has posted a list of certain third parties, engaged by Zoom, who may have access to such data to assist Zoom in delivering the service.  Note that additional clarification in this area has been requested of Zoom.  The UC Davis Privacy Office and Information Security Office will continue to monitor Zoom’s privacy policy clarifications and update this FAQ accordingly.

  Other updates    

  Zoom has provided guidance regarding data subject access requests at zoom.us/gdpr.

  Zoom has a legal obligation to investigate any complaints received by Zoom that indicate child exploitation. 

  On April 20, 2020, Zoom gave a webinar to members of the higher education community that addressed data security and privacy concerns.  Additional information is available at here.

  Zoom has also provided additional guidance to education community on April 24, 2020 through a blog post available here.

  Zoom continues to provide progress updates on its 90-day privacy and security plan.  The updates are available on Zoom’s May 27, 2020 blog.

• In terms of Privacy and Security, is it better to use the web app as opposed to downloading and using the Zoom app?
• Zoom’s Chief Privacy Officer claims that there is no difference in privacy/security levels between using the web application versus using a downloaded application.  The sole difference described by Zoom’s Chief Privacy Officer is that the user has to manually download the latest version, whereas the web application automatically updates. If you are using the desktop client, you should regularly check and install the latest Zoom updates.  Guidance on how to update your Zoom app is available here.
   
• What can I recommend to my students to protect their privacy?

• If students have privacy concerns, permit students to seek approval for an alternative arrangement.  Sample alternative arrangements include: 

  -   Audio-only participation as an alternative to video;
  -   Using a virtual background (this feature is not available for all Zoom instances and may cause video quality issues).   More Zoom info is here.
  -   Allowing a student to not use their photo;
  -   Allowing a student to use an alternative to their full name, such as the student’s initials, the student’s first name, or last name only.  

  All alternative arrangements should be approved by the instructor in advance and should still allow the instructor to readily identify the student.  For privacy, the student need not divulge the reason for the request (e.g., I’m a sexual harassment victim, etc.).

• How can student privacy be protected when proctoring an exam in Zoom?
• The campus has three digital proctoring technologies available, Zoom, Examity, and Respondus.  For more information on privacy considerations, please see remote proctoring and privacy guidance on the campus privacy page.
• What if I want to require all of my students to have their video on?

• Requiring students to turn on their camera and to be recorded poses privacy concerns and should be undertaken with care and transparency. We recommend that instructors exhaust feasible alternatives prior to requiring video be turned on and advise students of potential alternatives in advance. See FAQ#3 above for potential alternative arrangements and recommendations for protecting student privacy. Below are examples of challenges that may affect their ability to comply with video-on mandates or where they may raise privacy concerns: - Access to technology or equipment: inability to pay internet bill, low-tech environment, poor internet connectivity, low bandwidth, or limited computer hardware. - Private space or environment: chaotic home environment, concern over judgement of private space, view of personal bedroom or space, limited or no access to private space. - Video recordings have been reported by some students in the UC to trigger a prior history of abuse or post-traumatic stress disorder. - Misuse of or unauthorized access: sharing video, screen captures, or photos; pinning (allows participants to magnify and “watch” the image of another person in the Zoom room, without that person’s knowledge. More information on pinning is available in FAQ#3 above and here). 10 FAQs on Privacy in Zoom Classrooms Publication Date: 9/21/2020, rev. 10/29/2020

  Note: Video alternatives may not be possible for remote proctoring situations. We suggest different alternatives for remote proctoring available here

• What type of privacy laws and UC policies apply to my Zoom sessions?
• Zoom classroom recordings are generally protected as Family Education Rights and Privacy Act (FERPA) records because student PII or Personal Identifiable Information (name, image, etc.) is present in the recording. The Department of Education issued COVID-specific FERPA guidance, advising that the FERPA Health & Safety Emergency Exception may be used to respond to COVID19 pandemic safety needs. The Department of Education has also reissued Remote Learning Guidance. Zoom claims compliance with FERPA guidelines. For more information, see Zoom’s FERPA Compliance Guide. Zoom classroom recordings are subject to the UC’s Electronic Communications Policy (ECP). In terms of UC-specific policies, your Zoom administrator will have access to all cloud recordings associated with your account, however, they must follow the UC Davis Policy and Procedure Manual Section 310-24, Electronic Communications—Privacy and Access to access those recordings and the UC ECP. This process requires requesting consent from the holder of that recording (you, the faculty member); or, requesting approval from the campus privacy officer and appropriate campus leadership, if the holder declines to give consent.
• What are my Zoom default settings?
• Each UC Davis unit has discretion to define its default Zoom settings. We have recommended certain default security and privacy settings to Zoom unit administrators.   For security reasons, those settings are not publicly posted. For more information on our recommended default settings, contact cybersecurity@ucdavis.edu.
• Can instructors be liable for privacy violations on Zoom?
• Instructors are not liable for Zoom flaws.  As long as you are using Zoom as recommended by the campus, not posting your lectures on a publicly accessible website, and students are adequately advised of privacy-protective alternatives, we do not see any reasonable basis for instructor liability.
• Are Zoom meeting sessions encrypted?

• On April 27, 2020, Zoom upgraded their encryption method (for the curious, it is being upgraded to AES-256 GCM) with increased protection of your meeting data in transit, resistance against tampering, and improved confidentiality assurances for Zoom sessions.  Stronger audio/video stream encryption is included in Zoom 5.0.

  All faculty, students and staff must have upgraded to Zoom version 5.0 or above by May 30, 2020 in order for the new encryption standard to work.  For details, see the Zoom 5.0 website. Guidance on how to update your Zoom app is available here.

• Are there privacy concerns with the release of recorded lectures, recordings of lectures or meetings, and how long may I retain my course’s recordings?

• Release of recorded lectures:

  Yes, we encourage faculty to avoid the “publish” link on Zoom.  This link is shareable and could be re-posted on a public website.  Instead, faculty are encouraged to use Aggie Video to store video recordings, and share lectures with students (see How to save a Zoom Cloud recording to Aggie Video and embed into Canvas), which allows sharing to be limited to UC Davis.  

  The Campus Information Security Office has evaluated the security controls around videos uploaded in Canvas as files and determined that Canvas does not have sufficient controls to ensure security and privacy of information in the video recording. When you upload a video recording to Canvas and a student downloads it, you have no control on what the student can do with the video. Aggie Video gives the instructor more controls on what the student can do with the video.  Other tips on maintaining the security of recorded sessions is available at this link as well. 

  Additionally, to protect the privacy of your students and the security of your lectures, check that your Zoom instance administrator has programmed the pop-up notice.  The notice should advise all participants of the recording and of recording rules, rights, and restrictions.  

  Below is a sample video recording disclosure message: 

  “This session and any personal information you share during the session will be recorded.  Participants are prohibited from electronically capturing or re-disclosing session information.  Participants may opt-out of being personally identified only with advance host/instructor approval.”

  Recording lectures and meetings:

  Prior to recording a lecture, please also notify students in advance that sessions will be recorded and that students may opt for privacy-protective alternatives, with instructor approval (see FAQ#7). 

  Campus Zoom accounts do not have the security levels to store personal health information, therefore any meetings that contain this information should not be recorded.

  Retention of course recordings:

  Recordings should be deleted once they are no longer needed for their educational purpose.  Your Zoom administrator can set “automatic deletion” settings for all recordings after a certain number of days.  Some units have established 100 days as the automatic deletion period, with a reminder of 7 days before the automatic deletion and a 30-day safety valve for instructors who forget after the 100 days and want to retrieve their lectures.

  Your Zoom administrator will have access to all cloud recordings associated with your account, however, they must follow the UC Davis Policy and Procedure Manual Section 310-24, Electronic Communications—Privacy and Access to access those recordings.  This process requires requesting consent from the holder of that recording (you, the faculty member); or, requesting approval from the campus privacy officer and appropriate campus leadership, if the holder declines to give consent.

• Can I use Zoom to provide accommodations and ensure privacy to students with disabilities?

• Yes, you can, by creating Zoom break out rooms. More information is available here.
• How do I protect my faculty Intellectual Property (IP) rights with Zoom lectures? What if lectures have been made available to students then shared with others?

• Students should be advised that lectures must not be shared with anyone outside the classroom.  Inappropriate sharing may be subject to discipline pursuant to the university’s student misconduct policies.  For more information on protecting your IP rights, please see the following guidance on protecting an instructor’s IP rights. 

  As one precaution, instructors can disallow viewers from downloading video files to their own computers by turning off the “Viewers can download” option in the sharing settings for recordings stored on Zoom. With this option disabled, viewers can only view the video in a web browser and not download the actual video files. This makes it harder for viewers to intentionally or accidentally re-share videos. 

  More information on the sharing options for Zoom recordings is available here.

• Are student privacy or FERPA guidelines relaxed during the pandemic? Is Zoom in compliance with FERPA guidelines and what concerns have been raised?

• The Department of Education issued COVID-specific FERPA guidance, advising that the FERPA Health & Safety Emergency Exception may be used to respond to COVID-19 pandemic safety needs.

  The Department of Education has also reissued Remote Learning Guidance.

  Zoom claims compliance with FERPA guidelines. For more information, see Zoom’s FERPA Compliance Guide. There are FERPA concerns that have been raised such as Zoom generates attendee reports for the instructor that list a student’s mobile telephone number as well as their email address. FERPA allows a student’s mobile phone number and email address to be communicated to an instructor, provided the instructor does not further disclose that information and limits the use of that information for the student’s legitimate educational interest. 

  Zoom also allows individual users or administrators to mask phone numbers.

• Will a participant’s “private” text chats during a Zoom call ever be made visible to the host or others?

• On April 14, 2020, Zoom’s Privacy Officer advised UC privacy officers via telephone that private text chats are never made visible to anyone except to those whom they are addressed.  In May 2020, UC privacy officers requested a second time that this advice be provided in writing on a Zoom FAQ and have not yet received a response from Zoom.  This answer will be updated when we become aware of any new published guidance.

  Please be aware that for all non-private text chats, any participant may save that chat as a file on their computer.  Additionally, private text chats may also be saved (as a file) by the intended recipient(s) of that text chat.  

• Has the campus assessed Zoom’s security and privacy?

• The UC Davis Information Security Office Vendor Risk Assessment team has reviewed Zoom, including its third-party attestations regarding security. The team completed a formal risk assessment report for the campus Chief Information Security Officer and Chief Information Officer.  If you have questions about Zoom and the results of this assessment, please contact cybersecurity@ucdavis.edu.
  
  The UC Davis Privacy Office also reviewed Zoom as a part of that vendor risk assessment and found that third-party privacy review needed updating.  UC Davis has requested an updated report.

  Alternatively, the campus IET department is currently considering other alternative solutions to Zoom.  For questions or if you have a product for consideration, contact IT Express Desk at 530-754-HELP.

• I have more general questions on how to use Zoom. Who can help or where can I find additional resources?

• The IT Knowledge Base websites also have resources and helpful articles:

  -   Zoom guide for faculty
  -   Zoom guide for staff
  -   Zoom guide for students

• What are past privacy and security issues that Zoom has resolved?

• This information is available here.
• These FAQs didn’t address my concerns. Who should I contact for help or to request an update to these FAQs and how do I identify the weekly changes made to them?

• If you are aware of other Zoom security and privacy issues, please contact the UC Davis Privacy Office at privacy@ucdavis.edu and the Information Security Office at cybersecurity@ucdavis.edu.  Or, contact your Unit IT Administrator for additional information available here.  (If you are a UC Davis Health student, faculty, or staff member, please visit this website for Zoom information.) 

  Help us improve this campus resource as we are continually updating these FAQs and working on solutions to emerging issues.

  See below for a summary of the changes made to the FAQs on a bi-weekly basis. Note that these updates will sunset at the end of June. See the Zoom Blog for the latest update on their 90-Day Security Plan Progress. 

Other Resources

• Draft Privacy Guidance on Remote Proctoring Technologies
• Zoom Privacy and Security Concerns for Faculty and Instructors
  • Joint Letter from the Campus Privacy Officer and Chief Information Security Officer on Zoom Privacy and Security Concerns [April 10, 2020]
• FERPA Guidance for Remote Teaching and Learning
  • March 23, 2020 FERPA and Virtual Learning Guidance
  • March 30, 2020 Webinar on FERPA and Virtual Learning During COVID-19: https://studentprivacy.ed.gov/training/ferpa-and-virtual-learning-during-covid-19-webinar-recording
  • FAQs on FERPA and COVID-19: https://studentprivacy.ed.gov/sites/default/files/resource_document/file/FERPA%20and%20Coronavirus%20Frequently%20Asked%20Questions.pdf