Docs Information Security

Zoom Privacy and Security FAQ

Published on Apr 02, 2020 

Updated on 6/25/2020 to add Zoom's statement about end-to-end encryption.

Updated on 4/14/2020 to add Zoom's statement on improving their approach to encryption of meetings as well as an update on whether they share user data.

Updated on 4/6/2020 to add Zoom's statement responding to confidentiality of Zoom meetings (due to encryption concerns).

We have been tracking reports and news coverage of privacy and security concerns with Zoom. This FAQ provides a list of those concerns with our responses. It will be updated as more are received.

Please feel free to email InformationSecurityOffice@IllinoisState.edu to submit additional questions.

Zoom is Illinois State University's official video and web conferencing service. It allows for users to remotely connect one-on-one or as a group. More information is available in the Overview of Zoom article on IT Help.

Data Privacy Concerns

The following are a series of questions that we have received and responded to on the topic of data privacy when the Zoom application is used.

This concern primarily stems from news coverage of a since removed feature.

Prior to a change on March 27, personal data about a device was being shared with Facebook. Zoom was using a common software development kit (SDK) from Facebook to enable login functionality using a Facebook account. That Facebook SDK included default data collection.

As a direct result from the public concern, Zoom investigated the situation and recognized the issue. They opted to re-engineer their application to no longer leverage the Facebook SDK. They do still allow for Facebook accounts to be used, but the device data is no longer shared and no data is shared if Facebook login is not used.

Zoom released a public statement on their blog. A copy is provided below with a link to the original.

Source: https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client/


Added:  

This concern primarily stems from news coverage of how Zoom describes their security for meetings and webinars.

Update: On June 17, 2020, Zoom announced that end-to-end encryption would be made available to all paid and free accounts and meetings. Free accounts will need to go through a registration process.

Update: On May 22, 2020, Zoom released a draft design of their end-to-end encryption with open input and review from industry experts. They also indicated that end-to-end encryption would be available to all paid customers.

Update: On April 3, 2020, a research group at the University of Toronto identified a vulnerability in Zoom's approach to technology. Original information has been kept below and a new FAQ item has been added.

In documentation, as well as their applications, Zoom makes references to "end-to-end encryption" (also known as "E2E encryption"). As with many aspects of technology, commonly understood terms or phrases can also have highly specific technical requirements to be valid. Many felt that Zoom's description was disingenuous when comparing the technical specifications of E2E encryption with the approach Zoom takes to encryption.Zoom does enlist encryption in many ways and some do in fact achieve the end-to-end (Zoom app to Zoom app) encryption.

Zoom released a public statement on their blog about this. A copy is provided below with a link to the original.

Source: https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/


Update: Zoom released an update on their blog about this. A copy is provided below with a link to the original.

Source:


Added:  

Updated:  

This concern primarily stems from news coverage of the privacy policy Zoom had published on their website.

Update: On April 8, 2020, Zoom released a summary of an open question-and-answer session with their CEO and the public. In that summary, they answer a question about providing user data to other companies or entities. They indicate that they never share any user data from meetings. A copy of the statement has been added below.

In general, users should always be aware of the privacy policies for services they access. However, University members should also be aware that when we license a service such as Zoom, we enter into a contractual agreement that provides additional protections to data and privacy beyond those public policies. While Zoom already does not sell or share data from meetings, they also cannot use other data that we have provided them.

We are in the process of writing a few awareness articles on our data security practices and procedures. These will include details about the steps we take to analyze and assess third-parties when they will receive University data.

Zoom released a public statement on their blog about this. A copy is provided below with a link to the original.

Source: https://blog.zoom.us/wordpress/2020/03/29/zoom-privacy-policy/


Update: Zoom released an update on their blog about this. A copy is provided below with a link to the original.

Source: https://blog.zoom.us/wordpress/2020/04/08/zoom-ask-eric-anything-webinar-addresses-user-security-privacy-concerns/


Added:  

Updated:  

This concern primarily stems from an assessment conducted by The Citizen Lab, a research entity at the University of Toronto.

Update: On April 8, 2020, Zoom released a summary of an open question-and-answer session with their CEO and the public. In that summary, they share their plans for the encryption used for Zoom meetings. They are focused on implementing changes over the next 45 days. A copy of the statement has been added below.

Update: On April 3, 2020, Zoom released a statement responding to these findings. They indicated that there is now geo-fencing to prevent communication with Chinese servers. They also state that they are working with experts to implement best practices for their approach to encryption. A copy of the statement has been added below.

The research that was conducted by members at The Citizen Lab, examined the encryption technology that the Zoom service uses. In their findings, the researchers identified a method in which they could possibly compromise the encryption that secures the audio and video of Zoom meetings. They also shared that the encryption keys that are created by Zoom for each session can come from servers located in China.

The technical steps to compromise the encryption of Zoom requires a specific skill set and access to a network where a meeting session is occurring.

At this time, the University continues to recommend Zoom as an acceptable tool to deliver University instruction. The University is continuing to monitor this issue, will closely follow Zoom’s response, and provide updates as information becomes available.

Out of an abundance of caution, the Information Security Office has issued specific recommendations regarding use of Zoom to specific University departments/units to protect communications that may be at risk due to this vulnerability. If you have questions please contact the Information Security Office for additional information.

Zoom has not yet released a public statement. A copy of the published report by The Citizen Lab is provided below with a link to the original.

Source: https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/


Update: Zoom released a public statement on their blog about this. A copy is provided below with a link to the original.

Source: https://blog.zoom.us/wordpress/2020/04/03/response-to-research-from-university-of-torontos-citizen-lab/


Update: Zoom released an update on their blog about this. A copy is provided below with a link to the original.

Source: https://blog.zoom.us/wordpress/2020/04/08/zoom-ask-eric-anything-webinar-addresses-user-security-privacy-concerns/


Added:  

Updated:  

Device Security Concerns

The following are a series of questions that we have received and responded to on the topic of device security where the Zoom application is used.

This concern primarily stems from news coverage of how the in-meeting chat could be used to obtain the hash of a user's credentials from a Windows computer.

Update: On April 2, 2020, Zoom has updated their client software to address this issue. Users must have the latest version to receive this fix. Original information has been kept below.

First, the credential hash is not the username and password of a user in plain text. Instead, it is an encrypted form of that information. Second, while there are techniques to reverse the encryption of such hashes, password complexity and length mitigate this by increasing the amount of time required.

There are techniques where a stolen hash could be used as-is against other systems and grant access. This is commonly called Passing-the-Hash. Attacks of this nature tend to be very targeted and are not often a concern for our users.

Zoom has not yet released a public statement, but they have responded to news agencies and acknowledged that they are working to address this issue.

We have two key recommendations to mitigate the risk of this attack method:

  1. Use a pass phrase instead of a password.
    1. This increases the length and overall technical complexity of a password while still being easy to remember for the user.
  2. Do not click on links in the Zoom meeting chat that look suspicious.
    1. This method requires a link that starts with two backslashes
    2. Example: \\attack.website.com\file.jpg (notice the missing http: or https:)

Added:  

Updated:  

This concern primarily stems from news coverage of how a macOS computer with Zoom installed could have its camera and microphone enabled without knowledge of the user.

The security researcher that identified this vulnerability shares that it requires the device to already be compromised in some fashion. The attacker must either have physical access to the macOS computer or have remote access through some other means.

Zoom has not yet released a public statement.

We recommend users ensure their devices are physically safe and not compromised with malicious software to mitigate this attack method.


Added: