Zoom Security and Privacy

The privacy of our students, instructors and staff is extremely important. The University of Calgary Zoom account provides several features that have been configured to protect your privacy and ensure security within classes and meetings.

There have been several reports of potential security vulnerabilities, which have been addressed either by Zoom or by the University of Calgary.

Actions that have already been taken:

  • UCalgary login integration: On March 13, 2020, Zoom was integrated with the UCalgary authentication system so you can use your UCalgary login credentials rather than having to create a separate account on Zoom.
  • EducationResources to support the effective use of Zoom, and to manage participants in large meetings have been developed.
  • Encryption of all meeting content: All audio. video, and text content is encrypted in transit between your device and Zoom’s servers, which prevents unauthorized third parties from intercepting your meeting content.
  • Attention Tracking: Zoom has a feature that allows it to indicate if a participant is multitasking by using another application during a meeting. This involves sending information to Zoom’s servers to list which applications are running on a person’s computer, and we determined this to be a violation of privacy. We disabled this feature on March 22, 2020.
  • Canadian data residency: as of April 18, 2020, all content and data is restricted to Canadian and US servers. Meeting content will only be sent outside of Canada if meeting participants are located outside of Canada. Zoom meeting content (video, audio, and text chat) has been restricted to only pass through servers in Canada and US datacentres. It is not possible to exclude the US datacentres at this time, but that functionality is being by developed by Zoom and will be implemented as soon as possible. All other international datacentres (including China) have been restricted from being used by our campus Zoom account.
  • Privacy Impact Assessment: Information Technologies worked with Zoom to identify potential risks to privacy, and to develop plans to mitigate those risks.
  • Threat Risk Assessment: An analysis of Zoom’s software, service, and configuration was completed, with a remediation plan developed by the UCalgary Zoom project team.
  • Account information leak: On April 14, 2020, analysts discovered an archive of 500,000 Zoom account passwords published on the “dark web”. Accounts that were set up through UCalgary single sign-on are not affected, but anyone with legacy accounts created on Zoom before UCalgary adopted Zoom in March 2020 may be included in that archive. All administrators have reset their Zoom account passwords, and anyone with a legacy Zoom login is encouraged to change their “Sign-in Password” by editing their Zoom profile.
  • Annotation Tool: As of July 2020, the Annotation Tool has been turned off by default. Zoom hosts may re-enable this feature by logging in to the Zoom Web Portal. The option is under Settings > Meeting > Annotation.

ZoomBombing prevention

  • D2L integration: For classes, Zoom has been integrated with D2L so instructors can schedule meetings from within the course, and students can easily join the meeting after logging into D2L. This prevents unauthorized individuals from accessing the meeting, unless someone in the class intentionally shares the login information outside the class.
  • Password protecting meetings: As of May 6, 2020, all new meetings will have passwords required by default. The password can be turned off for specific meetings if needed. For meetings that need to be shared outside of D2L, meeting hosts are encouraged to use a password for the meeting so it is impossible for unauthorized individuals to enter the meeting unless someone has intentionally shared the login information with them.
  • Password protecting meeting recordings: As of April 15, all meeting recordings will be password protected.
  • Incident reporting: A process has been developed to document and respond to reports of ZoomBombing and abuse by participants in Zoom meetings. If you are the host of a meeting that has a ZoomBombing incident, please report it immediately.

Planned actions:

  • Waiting Room: This is optional at the moment, but the Waiting Room will be turned on by default for new meetings starting with Spring 2020.
  • YuJa integration: Prior to Summer 2020, YuJa will be integrated so that meeting recordings can be automatically moved from Zoom’s servers to the University of Calgary’s YuJa video content management system. This will allow more effective security of content, as well as providing additional functionality such as closed captioning and integration with D2L.