Barely a day goes by without stories appearing in the media about breaches of privacy and security of Zoom videoconferences. Little wonder as Zoom mushroomed from a relatively obscure videoconferencing service with 10 million users in December 2019 to some 200 million almost overnight since the start of the global COVID-19 pandemic.
People from all walks of life are turning to Zoom to keep in touch virtually amid government stay-at-home and quarantine orders. Zoom’s new popularity has not gone unnoticed by computer hackers, pranksters and others intent on probing its vulnerabilities or disrupting virtual classes. Security experts also found Zoom’s security inadequate in some areas. Many educators are now expressing concern about the privacy and security of using Zoom. But what are the risks and what can we do to mitigate them?
What Are the Risks?
No software is entirely risk free – and Zoom is no exception.
Before its popularity exploded, Zoom developers assumed the application would be used mainly in large institutions where experienced IT staff handle security procedures. Thus, they didn’t place a significant focus on security.
When educators and consumers around the world turned to Zoom, the security flaws became apparent. “Zoombombing,” where non-invited guests intrude and disrupt the meeting, became the most common breach. Zoom’s Founder and CEO, Eric Yuan, apologized on April 1, 2020, for the company having “fallen short of the community’s . . . privacy and security expectations,” and pledged to focus all of the company’s efforts in bolstering Zoom’s security. This commitment already paid off for educators.
The most noticeable change is security settings now default to the most secure when scheduling a meeting. For example, previously, the default settings allowed hosts to set up a meeting without a password. This opened meetings to the threat of Zoombombing. The most common way to Zoombomb is by typing in random meeting IDs or finding IDs posted publicly on social media by unsuspecting users. Meetings can still be scheduled without IDs but hosts now must deliberately change the default. Zoom also added a security button to the meeting toolbar to make it more convenient for hosts to view and adjust security settings during a meeting. More educational institutions now integrate Zoom into their campus infrastructure resulting in additional security layers to protect educators and students.
Nonetheless, educators still need to be mindful of security actions to take when hosting a class using Zoom. Educators need to be aware of the various privacy settings within a meeting to safeguard themselves and their students. These are discussed next.
Scheduling a Secure Zoom Meeting
Zoom has two components, a web portal and a desktop app. If you are using the free Zoom service, you created an account on the company’s site to access Zoom’s web portal. On the other hand, if your institution has a licensed version of Zoom, you access it using your campus single sign-on credentials. In the first instance, you log in at http://zoom.us, and in the latter you log in at an address in the form http://campusname.zoom.us.
Once you start a meeting, you are prompted to download a small app. This app allows you to schedule and join meetings as well as set security features of Zoom. You should always use your campus portal as it generally will be the most secure, and you have access to other features not found with the public version. If you use the free service, make sure to use a secure password, change it periodically, and never use the same password for Zoom as any other personal or professional account.
All security settings can be done with either the app or portal, although you’ll likely find the app more convenient. This is how the opening screen of the app looks.
As mentioned above, Zoom recently changed the settings so the most secure ones are enabled by default, but you should always double-check them. You can check the security settings when you either Schedule or start New Meeting.
Here are the recommended security steps to follow.
- Always keep your app updated. When you end a meeting, Zoom normally notifies you when an update is available. It’s easy to ignore this, telling yourself you’ll update it later. This is not advised; but if you do, you can readily check to make sure you have the latest version.
Open your app and click on your initials at the top right of the screen. A menu will pop down where you’ll see the choice Check for update. Click on this to see if you have the latest version and download it if you don’t. Zoom is issuing frequent updates. It is worth checking each time you start a Zoom meeting.
- Set new ID for each meeting. Although it is not as convenient, it is more secure to let Zoom generate a new random ID for each class meeting. You should not use your personal meeting ID for your classes. Click on Generate Automatically when setting up your meeting. Your personal meeting ID is better used for individual meetings with colleagues or students, but you still need to pay attention to the security settings for these meetings.
- Use a meeting password. You should make sure Require meeting password is checked as shown in the above screenshot. Zoom generates this automatically, however, you can change it if you wish. This password is included in your meeting invitation and you should never post it on a public website or on social media.
A password improves your security only to a limited extent. Students can always forward your invitation e-mail to someone not in your class or post it on social media, even though you ask them to keep it private.
- Use authentication if possible. Click on Advanced Options at the bottom of the meeting setup window and you’ll see the menu below. If you know all your students use their institutional e-mail account, you can restrict sign on to only those with your institutional domain name. Better still, if your institution integrated Zoom into the campus single sign on system, you can require students to use their campus credentials to log in to your Zoom classes. This is the most secure of all log in procedures.
- Enable Waiting Room. Zoom has a room in which students can wait to be admitted to your virtual class when you are ready. It is analogous to students waiting in the hall before doors of the lecture hall open.
Enabling the waiting room adds an additional layer of security because you see the names of all students before admitting them. If there are names you don’t recognize, you have the option of not admitting them or removing them once they are in your class. You can see this option in the screenshot above. Just below this choice, there is a check box for Enable join before host, which allows students to come into the class before you are there. This option works only if you have not enabled the waiting room.
Ensuring Privacy of Your Class
The above five steps make your meetings secure allowing no unwanted intruders into your class. There are additional steps you can take to safeguard the privacy of your class.
- Lock your meeting. Once you are satisfied all students are logged in, you can lock your class meeting. When you do this no one else can enter even if they have a valid ID and password. It’s analogous to locking a classroom door from the inside.
The difference between a physical class and a Zoom meeting is that in a physical class, students can knock on the door to be admitted. Unfortunately, in Zoom there is no equivalent, therefore you won’t know if one of your students arrives late and wants to enter. You can lock the meeting by clicking on Security icon on the Zoom toolbar shown below and choosing Lock Meeting. Note this tool also allows you to enable the waiting room from inside the meeting rather than in advance as discussed in 5 above.
- Disable screen sharing. An attractive feature of Zoom is the ability of any participant to share their computer screen with the rest of the class. Most likely you will not want to let students share their screens initially and only let them share when you call upon them.
This prevents students from accidentally (or intentionally) sharing inappropriate content with the rest of the class. If there happens to be uninvited persons in your class despite taking the precautions described above, this action also prevents them from disrupting the class visually. Screen Share is normally disabled by default; however, you can verify this by clicking on the Security icon as shown above.
- Disable chat. You may wish to disable chat initially so no one can post messages to prevent unwanted and possibly distracting chatter as well as background noise. After the class begins, you may want to allow students to post chat messages to ask questions or respond to yours.
Most experienced Zoom educators suggest leaving private chat between students disabled to let them better focus on what is being presented to the class. There are four chat control options: (1) no one, (2) host only, (3) everyone publicly, and (4) everyone publicly and privately. No matter which option you choose, you are always be able to send messages publicly to the class and privately to individual students.
The Security tool (shown above) is a convenient location to disable/enable chat, however, enabling the chat with this tool allows everyone publicly and privately to chat. Therefore, you must take another action elsewhere to disable private chat between students. After clicking on the Chat icon, click on the three dots at the bottom right of the chat window. Then a popup window lets you choose the option Everyone Publicly, which doesn’t allow private chats between students.
- Disable student video. For privacy, you may wish to start your class with video disabled for all students. This is the default setting when scheduling a meeting. You can then call upon students to turn on their video individually when speaking by clicking on their camera icon or, if it is a relatively small class, you may want the entire class turn on their video to create a sense of community.
You should be prepared to encounter some students who will not want to turn on their video for personal reasons, and some students may be inappropriately dressed or have visually distracting backgrounds. You can turn off video of students individually if you feel someone is distracting the class. This is done by clicking on Manage Participants on the tool bar, which provides a list of all students in your class. Then you click on the camera icon to the right of the student’s name to enable/disable video as shown below.
- Record meeting only if necessary. Zoom allows meetings to be recorded either to the cloud (only for licensed users) or to your own computer. There are situations where you may want to record class meetings, such as when you want to have a record of student presentations for grading purposes, or when you want to make the recording available to students who missed a class. Some institutional policies advise against recording any meetings to maintain student privacy and some require a consent form to be signed in advance, so be sure to check your institution’s policy in advance.
You record meetings by clicking on the Record icon on the toolbar (see above). Zoom announces when you begin recording, but you should also advise students ahead of time in case they don’t want their video recorded. When recording to the cloud, you are sent a link by e-mail to preview the recording and trim the beginning and end of the recording if you want to cut off these parts. You are also given a link, with a password, to share the recording with students.
Keeping Your Security Settings
Verifying your security settings and customizing them to suit your preferences may seem like an inconvenience. The good news is once you’ve done it, you won’t have to repeat the process for future Zoom classes.
You can save your meeting as a template. Then when you schedule future class meetings, you simply use the temple to create them with the same settings. You have to log into your Zoom portal account to do this and follow Zoom’s template directions. You may wish to have different settings for different courses. For example, the settings for a small upper level seminar course might be different than those for a large enrolment introductory course. Zoom allows saving multiple templates, thus you can have a unique template for each course.
In conclusion, if you follow the advice in this article, you can host Zoom class meetings with a high degree of confidence in their security. At the same time, you are protecting the privacy of your students and minimizing risk of offensive material being posted in your class.
Additional resource link https://blog.zoom.us/wordpress/2020/03/27/best-practices-for-securing-your-virtual-classroom/