Skip to main content
Blink

System Status: 

Privacy and Security

Introduction to privacy and security best practices when using Zoom - for you and your meeting attendees.

Use this page as a guide for navigating security and privacy issues and concerns when using Zoom video conferencing technology. For comprehensive privacy information during the COVID-19 pandemic, please visit the Campus Privacy Office COVID-19 page.

Zoom and Public Events: Risk Mitigation Tips

If you share your meeting link on social media (Facebook, LinkedIn, Twitter) or another public location (like a UCTech Slack invite) anyone with the link can join your meeting. Here are some tips you can use to help when needing a public meeting space:

  • Avoid using your Personal Meeting ID (PMI) to host public events. Your PMI is essentially one continuous meeting and people can pop in and out all the time. Learn about meeting IDs and how to generate a random meeting ID in this video tutorial
  • Familiarize yourself with your Zoom settings (https://ucsd.zoom.us/profile/setting) and features. Understand how to protect your virtual space when you need to. For example, the Waiting Room (details below) is a helpful feature for hosts to control who comes and goes.
  • Know your Host Key (it’s on your Profile page). Edit it, and make it something you will remember. If you join a meeting that you created as an attendee instead of launching it as the host, you can Claim Host in the participants’ Zoom window, as long as you know your Host Key.

Screen Sharing Best Practices

The first rule of Zoom Club: Don’t give up control of your screen. 

You do not want unwanted people in your public event to take control of the screen and sharing content with the group. You can restrict this — before the meeting and during the meeting in the host control bar — so that you’re the only one who can screen-share.

To prevent participants from screen sharing during a call, using the host controls at the bottom, click the arrow next to Share Screen and then Advanced Sharing Options.

zoom-prevent-partic-screen.jpg

Under “Who can share?” choose “Only Host” and close the window. You can also lock the Screen Share by default for all your meetings in your web settings.

zoom-screen-share.jpg

 

Managing Participants (Including Using Waiting Room)

Manage your participants

Here are some other features to help secure your Zoom event and host with confidence:

  • Allow only signed-in users to join: If someone tries to join your event and isn’t logged into Zoom with the email they were invited through, they will receive this message:

    zoom-attendee-alert.jpg

This is useful if you want to control your guest list and invite only those you want at your event — other students at your school or colleagues, for example. This may have a negative effect if you are expecting guests who have never signed up for a Zoom account.

  • Lock the meeting: It’s always smart to lock your front door, even when you’re inside the house. When you lock a Zoom Meeting that’s already started, no new participants can join, even if they have the meeting ID and password (if you have required one). In the meeting, click Participants at the bottom of your Zoom window. In the Participants pop-up, click the button that says Lock Meeting.
  • Set up your own two-factor authentication: You don’t have to share the actual meeting link! Generate a random Meeting ID when scheduling your event and require a password to join. Then you can share that Meeting ID on Twitter but only send the password to join via DM.
  • Remove unwanted or disruptive participants: From that Participants menu, you can mouse over a participant’s name, and several options will appear, including Remove. Click that to kick someone out of the meeting.
  • Allow removed participants to rejoin: When you do remove someone, they can’t rejoin the meeting. But you can toggle your settings to allow removed participants to rejoin, in case you boot the wrong person.
  • Put them on hold: You can put everyone else on hold, and the attendees’ video and audio connections will be disabled momentarily. Click on someone’s video thumbnail and select Start Attendee On Hold to activate this feature. Click Take Off Hold in the Participants list when you’re ready to have them back.
  • Disable video: Hosts can turn someone’s video off. This will allow hosts to block unwanted, distracting, or inappropriate gestures on video or for that time your friend’s inside pocket is the star of the show.
  • Mute participants: Hosts can mute/unmute individual participants or all of them at once. Hosts can block unwanted, distracting, or inappropriate noise from other participants. You can also enable Mute Upon Entry in your settings to keep the clamor at bay in large meetings.
  • Turn off file transfer: In-meeting file transfer allows people to share files through the in-meeting chat. Toggle this off to keep the chat from getting bombarded with unsolicited pics, GIFs, memes, and other content.
  • Turn off annotation: You and your attendees can doodle and mark up content together using annotations during screen share. You can disable the annotation feature in your Zoom settings to prevent people from writing all over the screens.
  • Disable private chat: Zoom has in-meeting chat for everyone or participants can message each other privately. Restrict participants’ ability to chat amongst one another while your event is going on and cut back on distractions. This is really to prevent anyone from getting unwanted messages during the meeting.

Try the Waiting Room 

One of the best ways to use Zoom for public events is to enable the Waiting Room feature. Just like it sounds, the Waiting Room is a virtual staging area that stops your guests from joining until you’re ready for them. It’s almost like the velvet rope outside a nightclub, with you as the bouncer carefully monitoring who gets let in.

Meeting hosts can customize Waiting Room settings for additional control, and you can even personalize the message people see when they hit the Waiting Room so they know they’re in the right spot. This message is really a great spot to post any rules/guidelines for your event, like who it’s intended for.

The Waiting Room is really a great way to screen who’s trying to enter your event and keep unwanted guests out.

Zoombombing Awareness, Prevention and Reporting

Zoom sessions that are not password protected can be hijacked by invited individuals or joined by uninvited individual(s).  Zoombombing, a type of cyberattack, is where an individual(s) would enter a Zoom meeting and broadcast obscenities or take control of the screen. 

To prevent Zoombombing, follow the general instructions noted on this page, and specifically:

Do Not Make Meetings or Classrooms Public

In Zoom, there are two
options to make a meeting private:

1. Require a meeting password; instructions here: https://bit.ly/39Ghx85
2. Use the waiting room feature and control the admittance of guests;
instructions here: https://bit.ly/2UUik07

Change Default Settings

*Make sure you permit only authenticated
users to join sessions; instructions here: https://bit.ly/2UT9AaA

Don't Share Links

Do not share a link to a teleconference or classroom on an unrestricted
publicly available social media post. Provide the link directly to
specific people.

Manage Screen Sharing Options

Change screen sharing to “Host
Only”; instructions here:
https://support.zoom.us/hc/en-us/articles/115005759423?zcid=1231

How to Report Zoombombing Incidents

If you were a victim of a Zoom bombing, please report it as soon as possible with the date, time, meeting host and if possible screen captures of the offending material to zoombombing@ucsd.edu. It will be investigated and reported to the most appropriate campus unit, including the Office for the Prevention of Harassment & Discrimination (OPHD), if
it is behavior that constitutes harassment or discrimination.

Additional Privacy and Security FAQs

What Can I Recommend to Students to Protect Their Privacy?

If students have privacy concerns, permit students to seek approval for an alternative arrangement.  Sample alternative arrangements include: 

- Audio-only participation as an alternative to video;
- Using a virtual background (this feature is not available for all Zoom instances and may cause video quality issues).   More Zoom info is here.
- Allowing a student to not use their photo;
- Allowing a student to use an alternative to their full name, such as the student’s initials, the student’s first name or last name only.  

All alternative arrangements should be approved by the instructor in advance and should still allow the instructor to readily identify the student.  For privacy, the student need not divulge the reason for the request (e.g., I’m a sexual harassment victim, etc.).

Can Instructors Be Liable for Privacy Violations on Zoom?

Instructors are not liable for Zoom flaws.  As long as you are using Zoom as recommended by the campus, not posting your lectures on a publicly accessible website, and students are adequately advised of privacy-protective alternatives, we do not see any reasonable basis for instructor liability.

Are Zoom Meeting Sessions Encrypted?

On April 27, 2020, Zoom upgraded their encryption method (for the curious, it is being upgraded to AES-256 GCM) with increased protection of your meeting data in transit, resistance against tampering, and improved confidentiality assurances for Zoom sessions.  Stronger audio/video stream encryption is included in Zoom 5.0. For details, see Zoom 5.0 website.

How Long May I Retain My Course's Recordings?

Recordings should be deleted once they are no longer needed for their educational purpose. 

How do I Protect my Faculty Intellectual Property (IP) Rights with Zoom Lectures? 

Students should be advised that lectures must not be shared with anyone outside the classroom. 

As one precaution, instructors can disallow viewers from downloading video files to their own computers by turning off the “Viewers can download” option in the sharing settings for recordings stored on Zoom. With this option disabled, viewers can only view the video in a web browser and not download the actual video files. This makes it harder for viewers to intentionally or accidentally re-share videos. 

More information on the sharing options for Zoom recordings is available here.

 

What Information Does Zoom Collect and What Is Its Privacy Policy?

Zoom’s current Privacy Policy (revised March 29, 2020) commits to never selling customer information and to not using customer data stored on the Zoom app for advertising. 

Although Zoom’s Privacy Policy describes how, the extent to which data is used, and collected, it has recently been criticized as needing to be more specific.   Zoom has acknowledged these criticisms and committed to changes and a more detailed policy in the coming months.  

In that spirit, Zoom’s privacy officials recently met with UC privacy officers and verbally advised that Zoom does not share session content with any third parties, with the sole exception of recordings stored in a Zoom cloud.  Zoom cloud recordings are stored under contract with Amazon Web Services (AWS).   

Zoom’s Privacy Policy also states that Zoom “collects only the user data that is required to provide you Zoom services.”  In Zoom’s recent call with UC privacy officers, Zoom’s privacy official further advised that this data includes (but may not be limited to) location, device, IP address, operating system type, Zoom version, connection time.  

Zoom has posted a list of certain third parties, engaged by Zoom, who may have access to such data to assist Zoom in delivering the service.  Note that additional clarification in this area has been requested of Zoom.  The UC San Diego Privacy Office and Office of Information Assurance will continue to monitor Zoom’s privacy policy clarifications and update this FAQ accordingly.

Will a Participant’s “Private” Text Chats During a Zoom Call Ever Be Made Visible to the Host or Others?

On April 14, 2020, Zoom’s Privacy Officer advised UC privacy officers via telephone that private text chats are never made visible to anyone except to those whom they are addressed.  UC privacy officers have requested that this advice be provided in writing on a Zoom FAQ.  This answer will be updated when we become aware of any new published guidance.

Please be aware that for all non-private text chats, any participant may save that chat as a file on their computer.  Additionally, private text chats may also be saved (as a file) by the intended recipient(s) of that text chat.  

What Has Zoom Communicated to the Higher Education Community on Security and Privacy?

On April 20, 2020, Zoom gave a webinar to members of the higher education community detailing the company’s commitment to creating the best and safest Zoom meeting experiences for users and addressed security, privacy, data, and any other concerns gathered by the higher education community.  Additional information is available at here.

Zoom has also provided additional guidance to education community through a blog post available here.