There has been a lot of concern in the headlines recently about Zoom's security. If you haven't been keeping up with it, let me begin with a brief history.
Zoom is a video conference platform known for its ease of use. With much of the world moving to working online due to COVID-19, Zoom has experienced massive growth: 10 million daily meeting participants in December 2019, up to 200 million daily meeting participants in March 2020.
This week there have been serious concerns raised about how secure Zoom's platform really is.
The main concerns are around so-called "zoombombing", where uninvited guests crash the party, and "end to end encryption": Zoom claimed to have it, but they don't. I'll look at each of these in a bit more detail soon.
As a result of these concerns, some organisations (eg NASA and Elon Musk's SpaceX) have completely banned the use of Zoom by their employees, while others have published guidelines around the safe use of Zoom.
On the 1st April (updated 2nd April), New Zealand's National Cyber Security Centre (NCSC) published advice to public servants, in which they announced that Zoom was not to be used when dealing with sensitive material classified above "RESTRICTED".
Note that they didn't say Zoom is not suitable for any use.
They also gave some clear guidelines on how to use Zoom safely. One particularly noteworthy point:
NCSC recommend avoiding the mobile app. Always use the desktop app or the browser (in that order of preference).
If your school is using Zoom for learning, or to collaborate with other schools or agencies providing support, there are some steps you can take to stay safe.
Zoom's Security Concern #1: Zoombombing
The more Zoom's platform takes off for good and wholesome purposes, the more it becomes a target for not so wholesome purposes.
Some particularly nasty people have been joining Zoom meetings to which they have not been invited, taking over, and sharing offensive material. This practice has become known as "Zoombombing", and is largely avoidable with the right settings.
To prevent Zoombombing:
Make it difficult for uninvited guests to get in, and
Make it difficult for uninvited guests to do anything if they do get in.
Make it difficult for uninvited guests to get in
Use a random link. Don't use the Personal Meeting ID, which stays the same each time.
Don't share the meeting link publicly. Send the link directly to the people whom you want to attend, and only those people (e.g. no links on social media).
Set a password for entry.
Allow only signed-in users to join.
Enable the waiting room, which means guests who click the meeting link can't actually join until the meeting host lets them in.
Once everyone you're expecting has arrived, you can Lock the meeting.
All of these settings can be set by the meeting host before the meeting begins.
See Zoom's own blog post for more detail on how to prevent Zoombombers from getting in to your meetings.
Make it difficult for uninvited guests to do anything
Intruders can disrupt a meeting by sharing in three ways: talking, posting in the chat, and taking over the screen-share. Each of these can be disabled or restricted. See Zoom's blog post for details.
Zoom's Security Concern #2: End-to-end encryption
There's a more serious and technical security concern in the media at present. Zoom claimed to secure meetings with "end-to-end encryption", but it turns out they were using their own definition. Zoom meetings are not secured with end-to-end encryption, at least in the way that most people understand the term.
What is end-to-end encryption?
Without getting too technical, it means that the message is encrypted from when you type it until the recipient reads it. Nobody else, including the messenger, can read it.
If Zoom really did have end-to-end encryption, they wouldn't be able to access your meeting data.
In reality, with Zoom meetings, the data is encrypted from when it's sent from your Zoom account until it gets to the recipient's Zoom account.
That's an important distinction. The data is still encrypted, but Zoom themselves could potentially access it. More details in this article from The Intercept.
How bad is it really?
Zoom have published a detailed response, which you can read here. This quote is particularly relevant:
Importantly, Zoom has implemented robust and validated internal controls to prevent unauthorized access to any content that users share during meetings, including – but not limited to – the video, audio, and chat content of those meetings.
Translation: they have their own internal processes, outside of the end-to-end encryption picture, to prevent Zoom staff or systems accessing your data.
What does this mean for schools?
As mentioned above, New Zealand's Government still see fit to use Zoom for meetings classified "RESTRICTED" and below.
The odds are pretty good that your teachers' lessons don't involve material sensitive enough to be a concern. The only remaining issue, then, is protecting our students' privacy.
Privacy Concerns in Schools
Privacy concerns are not unique to Zoom. Your school needs to have a conversation about how to handle privacy in any video conference platform.
Will you allow teachers to record video of meetings? Will you allow students to record video of meetings? What will happen to chat archives? Can meetings be recorded if they don't include student faces?
You're the best person to make these decisions for your own learning community. Start these conversations and set clear guidelines.
It's worth noting that Zoom allows meeting hosts to restrict attendees' ability to save chat and record video.
Is Zoom safe for schools?
In my opinion, yes.
Teachers can keep their class meetings secure from uninvited guests by following the recommendations above.
As for Zoom's own access to the platform, Zoom have already taken steps to improve their security and how data is used, and have committed to continuing to do so.
If you're invited to a Zoom meeting and you're not comfortable, talk to the meeting host about what measures and settings they have in place to ensure security.
And as always, keep the conversations going. The more we all embrace safe practices online, the safer the internet will be for us and for our students.