The security of Zoom, used in online teaching and meetings, has been much discussed in media recently. UEF has taken a closer look at the discussion and sorted out the security implications.
The Zoom service used in UEF is offered and implemented by CSC through NORDUnet. The service is located in Sweden and it’s used by Nordic education and science communities. Security and privacy statements of the service are in line with both European and national information security legislations.
The Zoom service offered by CSC is technically different from the free to use American Zoom service offered by Zoom Video Communications, Inc. The leaked phone numbers and credit card numbers mentioned in media do not apply to the Zoom service offered by CSC. The cloud storage feature has been disabled in the Zoom service used in UEF. Any recordings made of online teaching sessions or meetings have not been stored outside the EU, they have been stored in the users’ devices only.
Media has reported that the Attendee attention tracking feature in Zoom can be used by the organizer to track the activity of participants. This feature can only be used to see if a participant’s Zoom session is active not. This feature has been turned off by default in UEF and is now disabled completely, so the organizer cannot activate it anymore.
Media has also reported that the Zoom iOS app (iPhone, iPad), leaks device data to Facebook, and that Zoom has failed to mention this feature in its App Store EULA. The leaks were related to the app’s Facebook login feature, which passed on device data to Facebook when launching or closing the app. Zoom has removed this feature from the iOS app in the updated version 4.6.9., so updating the app from App Store is recommended. The device data passed on to Facebook contains only device technical information, which is by itself not enough to recognize a single user.
Furthermore, media has spotlighted an old vulnerability in Zoom, allowing an attacker to spy on the cameras and microphones in Apple MacBooks. The vulnerability was published in July 2019 and patched by Zoom in July 2019. It’s recommended to always use the latest versions of apps and install any security updates without delay.
It has also been reported that some Zoom meetings have received uninvited guests or been disrupted with inappropriate video clips. This is a common problem with online meetings. Anyone with the invite link may participate in open online meetings. The organizer can control participation with password or login requirements and choose if joining is allowed to anyone or registered users only.
If you have further questions regarding the security of Zoom, please contact: servicedesk@uef.fi