Security concerns over Zoom remain despite UC Davis’ unique contract terms complete with contractual data security, privacy terms, safeguards

Security concerns over Zoom remain despite UC Davis’ unique contract terms complete with contractual data security, privacy terms, safeguards

Photo Credits: Justin Han / Aggie.

Zoombombing, surveillance, more: University recommends that although Zoom has been deemed safe enough for wide-spread adaptation, students, faculty should “exercise caution”

As universities rapidly transition to online learning for their Spring Quarters and semesters, Zoom usage has increased significantly. According to CEO Eric Yuan, usage for the video conferencing app has seen daily usage increases of up to 1900%. In December of 2019, the app, founded in 2011, saw daily usage of around 10 million users — fast forward a few months to March of 2020, and there were over 200 million users on any given day. 

Amid these changes, concerns about privacy and security have emerged, to which Zoom announced a 90-day moratorium where all engineering resources would be focused on safety and privacy issues. A revised policy on March 29 stated that data and content collected via Zoom would never be used for advertising. 

In addition, Yuan began a weekly webinar called “Ask Eric Anything” in order to “address security, privacy, data and any other concerns from Zoom users.” Yuan plans to hold these webinars for the next three months.

One of those concerns is Zoombombing, or online harassment through the takeover of virtual meetings by people with humorous or, in some cases, malicious intent. 

UC Davis has been using Zoom as a platform since at least 2016, according to university spokesperson Julia Ann Easley. 

“UC Davis was already using Zoom as part of a UC-wide contract that dates back a few years,” Easley said via email. “Zoom agreed to UC’s data security and privacy terms and conditions. Zoom is familiar to many people on campus, and was readily available for quickly increased use. These were, and still are, attractive qualities.”

Joshua Clover, a professor in the English department, bought his own personal Zoom account, which he shares with two of his colleagues, through which he administers lectures. Before classes moved to Zoom, he had fairly limited experience with the platform and said he was pleased with its functionality, given that he had struggled with Skype in the past. But when he found out that the university was implementing the platform on a larger scale, he did what he called “his due diligence” and researched the platform. 

“There’s always exportable data to summarize, [from] past statistics, right down to individual meetings and users and who used it [Zoom], and how and who’s an active and inactive user,” Clover said. “It’s built this way for admin. and corporations who are using Zoom to engage in this sort of surveillance for bosses to surveil employees to see who’s working as much as the boss wants to, and in the way that the boss wants to, which is to say it’s designed to be a disciplinary tool.”

For instructors who use Zoom as provided by the university, Clover sees their data being used by UC Davis in three different ways: to see if staff positions can be eliminated or folded into others, to support the idea that university courses work well online and to track student participation. 

Clover, who has been teaching at UC Davis for about 17 years, said he’s watched the UC system for a long time. To him, these data-driven outcomes complement the “future the university wants.” 

“To many of my colleagues, this seems like a movement where the university’s goal of moving courses online is an opportunity for them to push things forward, and that’s something that people need to push against hard,” he said.

 Despite characterizing Zoom as a platform designed “for business surveillance,” Clover said the choice to buy his own Zoom account was motivated by a desire to protect his students’ data — not necessarily his own.

“I don’t want the university […] sitting in my classroom, knowing what people are doing,” he said. “That’s my classroom. That’s not theirs. And the university absolutely belongs to students.”

The UC Davis College of Engineering implemented Zoom in 2017 and said it has taken advantage of newer features, such as digital signage and Zoom Rooms in common spaces, with other units on campus looking to the college as an example.

In light of Spring Quarter moving online, the College of Engineering decided to recommend — but not enforce — password protection of Zoom meetings through the first week of Spring Quarter instruction.

This recommendation was enforced by the College of Engineering and other colleges on April 7, with the College of Engineering providing responses via email through the university.

“The four colleges working alongside campus officials have restricted in-meeting annotation and made recommendations on in-meeting settings that can improve the privacy and security of Zoom meetings,” the college said, citing these recommendations as only allowing authenticated users to join meetings, disabling “join before host,” using a waiting room, limiting distribution of Zoom meeting details, locking a meeting once it has started and removing unwanted participants.

The College of Engineering has also offered training to inform instructors, teaching assistants and staff about best practices for securing and using Zoom. Each college has a single Zoom account where settings can be applied to all users, the college said.

“To ensure consistency across these accounts, the four colleges, Information and Educational Technology and campus security and privacy officials meet daily to identify priorities and changes that might need to be made,” it said. “We are striving to maintain our students’ privacy and security on Zoom to the best extent possible and are working together to ensure the latest guidance is implemented in our college instances of Zoom.”

Concerns about security were addressed by Chancellor Gary May in an campus-wide email sent out on April 10. May acknowledged that many were worried about Zoom’s security and linked to Zoom FAQs with recommendations for increasing privacy and security. He also shared a letter written by UC Davis Campus Privacy Officer Minming Wu Morri and UC Davis Information Security Officer Cheryl Washington.

“Know that unlike many K-12 users or private citizens who use free Zoom, your Zoom is protected by UC’s contractual data security and privacy terms and safeguards,” the letter reads. 

Morri and Washington said Zoom’s features make it one of the most accessible platforms for administering online education, citing Zoom’s low bandwidth connectivity, high user limits and ease of use, while continuing to urge caution.

“The UC Davis campus privacy, information security and unit information technology leads are monitoring Zoom’s developments,” the letter states. “While Zoom’s commitments are good, users should still exercise caution. No service has privacy and security measures that are foolproof, and no tech platform can rest on its laurels.”

In regards to online instruction, second-year human development and linguistics double major Jennilyn Taguiam said her classes on Zoom have gone pretty smoothly, save for a few technical difficulties, which surprises her. One of her linguistics professors, however, announced that there would be a new link and password for the class in light of Zoombombing. 

When Taguiam first heard of Zoombombing, she just associated it with TikTok and Twitter and did not think of it as a security risk. Her professor compared shutting down students’ breakout rooms on Zoom to barging into a meeting she wasn’t invited to, something that Taguiam found analogous to Zoombombing. 

On the topic of media coverage of large companies banning employees from using Zoom software on work devices, Taguiam said she has mixed feelings. On one hand, she said it is somewhat concerning to hear about well-known companies not using Zoom, but according to Taguiam, there is a difference between companies and their operations and online instruction for students.

“Both of these big end companies have things they really don’t want to be leaked,” Taguiam said. “So it’s understandable as to why NASA and Google, for example, banned it.” 

Still, some concerns remain. 

Third-year computer science major Zhekun Hu is the vice president of the UC Davis Cybersecurity Club, which hosts workshops and attends competitions to infiltrate and defend computer systems. Hu said Zoom has not been a topic of discussion for the club, in part because the risks posed by the service are “fairly within expectations” and due to the circumstances requiring its use.  

“Zoom has its fair share of issues, but personally, I believe that in these times, having a solution that works as reliably as Zoom outweighs the issues Zoom has,” Hu said via email. “Media pressure and scrutiny has compelled Zoom to respond and promise to focus more on security, and that is more than what a lot of other companies have done.”

Hu noted that it is much more difficult to censor sounds and images in real time, adding that the prevalence of Zoombombing in the news has caused a misconception that it is a security issue.

“Using passwords on meetings should be standard practice, and hosting any sort of public forum in an entirely virtual setting with little moderation […] is generally a terrible idea,” Hu said. “This has less to do with security and much more to do with people’s behavior on the internet.”

Although Hu commends Zoom’s promise to “shift their development towards securing their product,” he emphasizes that it is worth considering there may be pre-existing security flaws that are still undiscovered. 

“The Zoom scandal happened for a reason,” Hu said. “If the public is not vigilant and does not keep pressure on Zoom to secure their software, they might slip back to cutting investments in security and [consider] selling user data. As with most security-related scandals, the most effective driver for change is consumer behavior. And it is always necessary to pay attention to security-related issues in any software we use.”

Written by: Anjini Venugopal and Janelle Marie Salanga — features@theaggie.org