Norwegian version of this page

Is Zoom safe? UiO's head of IT security answers.

Recently, UiO started using Zoom for both digital teaching and video meetings, and the use of Zoom at UiO has seen tremendous growth in the past weeks. But with the use of new tools new questions arise. Here, UiO's head of IT security Espen Grøndahl answers the most important questions.

Is security in Zoom good enough?

Many have asked whether the security in Zoom is good enough, and some have pointed to previous security holes (CVE-2019-13450 and CVE-2019-13449). Both of these are fixed and there should be no known vulnerabilities in Zoom. IT security at Uninett and at USIT follow the situation closely.

Can unauthorized people get into meetings?

Access to meetings is controlled by the meeting ID number. It is included in the invitation to the meeting, and if the meeting ID is not shared with anyone other than the invited, you can be pretty sure that no one else will attend. If you want to be absolutely sure that the meeting is kept private, you can protect the meeting with a password.

In addition, the host and co-hosts can always choose to view a list of persons attending the meeting and disconnect any attendees who are not supposed to be there.

Can unauthorized people share inappropriate content in meetings?

At UiO, you take advantage of security settings made by the UiO central Zoom administrator. When you log in with your UiO username and password, you use a version of Zoom where, among other benefits, content sharing is locked to the host of the meeting and those the host delegates to. Thus, others cannot share content unless the host approves the sharing.

Can a lecturer make a recording I am in?

You decide wether you want to participate in meetings and lectures with video and/or audio, and a lecturer cannot record without informing the attendees of the recording in advance. If you do not want to be included in the recording, you can ask the lecturer questions in Zoom chat or by email.

Am I included in the recording if I am the one who starts it?

If you start the recording of a lecture or meeting, but do not say anything yourself, you will not be included in the recording.

Is it true that Zoom for iOS sends usage data to Facebook?

No, this is no longer the case. Update to the latest version of the iOS app and this will be fixed. See the article where Zoom regrets that this happened:  Zoom Removes Code That Sends Data to Facebook (vice.com).

What agreements does UiO have with Zoom?

At UiO, all students and staff have a license to use Zoom. To use Zoom with the full license, you must log in with your UiO username and password. This offers many benefits. You then have a full version of Zoom as opposed to the free version, and you take advantage of, among other things, security settings made by UiO's central Zoom administrator. It is important to note that UiO uses Zoom via Uninett as a subcontractor. This means that Zoom's general privacy policy does not apply to UiO, but we have a separate agreement that, among other things, restricts all use of personal data to what is necessary for the delivery of the service.

What about statutory privacy protection in Zoom?

IT security and IT law officers at UiO have thoroughly reviewed the agreements UiO has with Zoom through their subcontractor Uninett. In addition, separate guidelines for using Zoom for streaming and teaching at UiO have been developed, see Privacy when using Zoom for streaming and teaching at UiO.

UiO's installation of Zoom has been carefully reviewed and some features have been turned off or locked. Here are some examples of features that are turned off or locked:

  • Live streaming to Facebook/Youtube is turned off.
  • Functionality to auto-save chat is turned off.
  • Functionality for others to control your camera is turned off.
  • Sharing content is locked to the host of the meeting and those the host delegates to.

These, and several useful security settings, apply to you if you use the UiO version of Zoom, that is, if you log in with your UiO user name and password. All configuration is documented and all changes are approved by the UiO central Zoom administrator.

Published Apr. 1, 2020 11:15 AM - Last modified Apr. 1, 2020 11:15 AM