Several concerns have been expressed regarding the privacy and security of using Zoom for campus meetings and online classroom instruction. This statement has been prepared to address these concerns. The major privacy questions expressed include:
1. Does Zoom sell or share our data?
2. Does Zoom meet our privacy and security standards?
3. Does Zoom protect personal information and recordings?
4. Should we be concerned with Zoom-bombing?
Findings and Recommendations
Does Zoom sell or share our data?
Does Zoom meet our privacy and security standards?
Zoom appears to meet BYU privacy standards, including FERPA and GDPR requirements:
FERPA: It is acceptable for students to see other students and share their personal information in a Zoom meeting. Students do not need to provide consent if the meeting is recorded, as long as the recording is not shared outside the classroom environment. If recordings are shared outside the classroom environment, faculty need to obtain student consent, as these recordings are considered education records and the FERPA rules for disclosure apply.
Although Zoom displays a notification when a meeting is recorded, the meeting host should also inform the participants when the meeting begins. Zoom recordings for classroom instruction should be retained for one year after the end of the semester, if needed, to document class participation when participation contributes to the grade, or if needed by the student to complete an incomplete grade.
Does Zoom protect personal information and recordings?
Privacy requires that personal information is adequately protected against unauthorized access or use. Zoom meets BYU security standards for the protection of personal information, including the encryption of Zoom meetings during transmission and requiring two-factor authentication, using Duo, to obtain access to the system.
Zoom is actively addressing security issues and vulnerabilities and the CES SOC will continue to closely monitor this work.
Should we be concerned with Zoom-bombing?
Zoom-bombing can be controlled with appropriate Zoom meeting settings. It is recommended that current BYU default settings be set in Zoom meetings to protect the privacy and security of our Zoom meetings. To prevent Zoom-bombing, hosts should avoid sharing the meeting link or password publicly or record meetings where sensitive information may be discussed. The host should also apply the following configuration settings:
1. Require a meeting password.
2. Use the automatically generated Meeting ID. Do not use your Personal Meeting ID.
3. Use the waiting room option, when appropriate, to monitor and admit users to the meeting.
Specific instructions on how to safeguard Zoom meetings can be read in our article Protect Your Zoom Meeting from Zoom-Bombings .