other Zoom resources …
- MAIN PAGES
- EXTRA HELP PAGES
- USING ZOOM FOR …
- GOT PROBLEMS?
Security with Zoom – Overview
Over the coronavirus-related lockdowns Zoom’s use has exploded. In December 2019 they had 10 million daily participants *. By April this had risen to 300 million!
* if you attended two Zoom meetings in a day you’d be counted as two “participants”.
What are/were the risks?
- Zoom bombing – people joining your event and sharing unwanted content with the group. From their own personal messages to pornographic / offensive images.
- Your camera being taken over
- People’s logins being stolen
- Intrusive data collection practices
- Sharing of analytics data about users with third parties
- Communication being hacked (no end-to-end encryption – E2E)
Is Zoom “safe” to use?
No video platform (or “user facing” service) is 100% secure – just as no house, bank etc can ever be 100% secure. What there is to do is understand the risks, understand what measures are available and then choose the ones that suit your risk level / resources spent balance.
Generally Zoom has been quick to deal with the issues that have arisen. As far as I can make out, the majority of reviewers on the Internet believe that Zoom is doing it’s best and it is fine to use Zoom for non-sensitive meetings. If you’re discussing state or corporate secrets, or disclosing personal health information to patients, or for any other reason need your communication to be private and secure you should look for a more secure (and likely less feature-rich) video meeting program.
What can you do about the risks?
- Keep your Zoom updated
- Be aware of Phishing
- Understand and set relevant Zoom security settings
- Do not share your Personal Meeting ID (PMI)
- Use Passwords
- Avoid sending out links with the ID and password combined
- Use the Waiting room
- Know how to …
- Lock a meeting
- Remove people or put them on Hold
- Disable someone’s video
- Mute someone
- Limit screen sharing to the Host
- Turn off Annotation
- Disable private Chat
- Understand that you CANNOT stop people taking screenshots or Recording meetings
One of the important steps you can take is to make sure you keep any installed version of the Zoom mobile or desktop app up to date
Zoom provides a pop-up notification when there is a new mandatory or optional update within 24 hours of logging in (see example …)
You can also check for updates any time from your Zoom App/program on your device …
With Zoom being so popular, more and more people focus on it to find its vulnerabilities. By installing the latest updates as they are released, you will be protected from any discovered vulnerabilities.
If you are prompted to update your Zoom client, install the update. And consider encouraging your participants to do the same (in your advertising, in your invites and/or in your calls).
However, be aware of Phishing (see next topic).
Watch out for Phishing – emails that purport to be and look as if they are from Zoom – but aren’t.
This might be about updating Zoom or even an invite to a meeting that you weren’t expecting.
Basic rules for ANY phishing possibility
If you receive something
- by EMAIL
- by TEXT message or WhatsApp etc
- by POST
- by PHONE
- even face-to-face on your doorstep
ASSUME that it is not safe or legitimate – do NOT act on it! – put it to one-side
And then …
- Go to that organisation’s website (using any saved link you have) OR look up that organisation’s website (or phone number) using the internet. Search engines like Google Chrome, Safari etc. (generally) do not include false/fake websites. So you can trust you’re going to a legitimate website.
- And, if relevant, log into your account
- And look for the information you were told about OR call them and ask about it
The settings you use are (obviously) dependent upon the meeting you’re holding
Acknowledgement: the tips in this section are from an excellent article in a set of excellent articles IT @ Cornell – Checklist: Keep Your Zoom Meeting Secure
Set Security Defaults for All Your Meetings
Make sure the following are Off
- Participants video (see note below)
- Join before host
- Remote control
- Allow removed participants to rejoin
- Use Personal Meeting ID (PMI) when scheduling a meeting
Make sure the following are On
- Mute participants upon entry
- Allow host to put attendee on hold
- Screen sharing, with Host Only selected
- Waiting room
When Scheduling an Individual Meeting
(Participants will join with their video turned off until they turn it on)
- Enable join before host
(No one, other than alternate hosts or co-hosts, can join before you do)
- Mute participants upon entry
(Participants will join with their microphone muted until they unmute)
- Enable waiting room
(You decide who comes in)
After Launching the Meeting
- In the Zoom window toolbar, click Participants.
- At the bottom of the Participants pane, select More, then uncheck Allow Participants to Rename Themselves.
You can control the security of your Zoom meeting by choosing options. Some can be set as the default for all meetings you schedule, some can be chosen when you are scheduling a specific meeting, and some can be used while the meeting is in progress.
User vs Account Settings
Most of us will be using Zoom at the User level.
However, organisations may have a paid Zoom account with a number of users associated.
“Account level settings” set the defaults for ALL users within that account. This makes it easier to manage a lot of Zoom meetings being run within an organisation. Individual Users can then change the odd setting if they want to for any meetings they are responsible for.
Note: if a user does not have their own ‘paid’ zoom account, they will not have access to any ‘Paid’ features through their organisation.
User level Settings – https://zoom.us/profile/setting
Account level Settings – https://zoom.us/account/setting (not available for Free accounts).
USER and ACCOUNT level Settings (as of July 2020)
Note: If you haven’t “locked” the controls in the top-level account settings (the little padlock next to each feature in account settings online) then it doesn’t override any user level settings that might be different.
Each Zoom user is given a permanent ‘Personal Meeting ID’ (PMI) that is associated with their account.
Your PMI is basically one continuous meeting. If you give your PMI to someone else, they will always be able to check if there is a meeting in progress and, potentially, join it if there’s no password set.
So, instead of sharing your PMI, create new meetings each time.
Use a password for each meeting, unless you have a good reason not to. Zoom now has Passwords turned on by default.
Unless you send people an all-in-one link (with ID and password – more on this below), participants will be asked to enter the password to join the meeting. Those who don’t have the password won’t be able to join your meeting.
Make sure passwords are turned on in these places …
- your account settings (See the Settings topic above) to affect future events
- as well as in any future and/or recurring events you might already have (in which case you’ll need to let people know if this is a change)
Passwords are normally a 6 digit random number generated by Zoom – but you can create your own password with numbers and/or letters.
Do NOT put the password or a link to your meeting with the Password embedded onto the public internet. Consider sending the Password separately. More on this in the next topic of Invites
Probably the most important message about Zoom invites is to avoid posting the link in social media or on the web.
The easiest way to send out invites and for people to join a meeting is by using a link that people can click on that includes the password. However, generally, this is the least secure.
The parts of an invite
The link with meeting ID and password embedded
https://us02web.zoom.us/j/1234567890?pwd=N0JhYtFmolbGtBVS9WRnpLQT09 [this is not a real meeting or link]
The link with meeting ID – Password as “text”
https://us02web.zoom.us/j/1234567890 [this is not a real meeting or link]
Meeting ID and Password as “text”
Meeting ID: 123 4567 890
Which is “best”?
The “best” will depend on your audience, the sensitivity of the meeting and its content, knowledge/experience of your participants, the time involved for you and participants etc
Most secure / most work (for you and participants)
Send Meeting ID and Password as text – and in separate “messages”
Perhaps with a link to click here to Join a Meeting – where people can type the Meeting ID and Password in manually to join the meeting
Least secure / least work / easiest to join
Send a single link with Meeting ID and Password combined/embedded
- Use a password for all your meetings
- Avoid sending out a link with the ID and password combined (you can turn this off by default in your settings …)
- Avoid (or do NOT) post links and/or Meeting ID AND Password onto social media.
- If you send someone an invite by email, there is a small risk they will forward it to a few other people.
- If you post an invite on social media, it is easily “shared” far and wide and you loose all control over where it goes and who sees it.
Registering people in advance, massively reduces likelihood of trolls.
However, every participant needs to have:
- signed up to Zoom (i.e. registered with their email address and created a password)
- and let you have that email address (if they have more than one email address, you need the one they signed up to Zoom with)
This is the most secure way of holding a meeting, but perhaps the most impractical for most of us.
It can work well for events that people register for and/or attend regularly – like school or college classes.
In terms of security the Waiting Room lets the Host and Co-Hosts control who is allowed into a meeting (and when).
Letting people in before the meeting starts
Zoom lets participants get into a meeting with or without the Host being present.
Small groups sometimes like this option because they can have a few minutes to talk before the meeting officially kicks off.
- Enable Join before Host
- Either Enable Waiting room and you or co-host admit people as they arrive OR Disable Waiting room (less secure)
The Waiting Room
- The Host and co-hosts can admit attendees one-by-one or all at once.
- The Host and co-hosts can send a message to everyone in the Waiting room (using Chat and selecting Everyone in Waiting Room)
- The Host can turn off the Waiting Room at any point (to avoid having to let latecomers in one-by-one).
- Have a co-host manage this for you.
- Make sure this is enabled in your account settings (should be by default). Then, for each event you can turn it on/off either when you set up an event or before it starts (in Advanced Options).
- You can add you own message and banner onto the Waiting Room
TIP: one way to use the Waiting Room
- Via the ‘Security’ button – ‘enable Waiting Room’
- Use the “Admit all” when it is time to start the main meeting
- Have a co-host Admit late-comers
- OR Turn off the Waiting room so anyone is free to join
TIP: If you have co-hosts, facilitators, speaker(s) at a meeting
- Enable Waiting Room
- Ask co-hosts, facilitators, speaker(s) to join x minutes before the meeting starts for a pre-meeting chat
- Admit those people first
- Have your pre-meeting meeting
- Admit the rest of the participants when it is time to start the main meeting proper
The security button in your Main Menu (at the bottom of the screen) gives you the most important options …
Ensure that all hosts and co-hosts know how to use these features. You should be prepared – just as people need to know about Fire Exits, even though you’re unlikely to experience a fire in a meeting venue.
Suspend Participant Activities – the “Sledgehammer”!
This is the first option to go to in the event of anything major – e.g. abusive audio / video / screen sharing. It shuts down a meeting completely (all video and audio switched off), without actually ending it. See the next section for details of how this works.
Find this at the bottom of the Participants list …
Handling one participant – mute, stop video, remove etc
If you want to do something with just one participant (e.g. mute, removing, chat with) there are three main ways:
- Right-click on their image/video (not all devices support this)
- Click on their image/video and then click on the Blue button with three dots
- Go to list of Participants, hover over or click on their name – choose ‘More >’
There are also other ways depending on what you’re doing – e.g. if you want to send them a Chat (and they have already added a Chat) click on their name in the Chat box.
Controlling who is in the meeting
Remove people or put them in the Waiting Room
Use one of the three options listed above and then click ‘Remove’ or ‘Put in Waiting Room’
If you put a participant back into the Waiting Room, they will see a screen telling them that they are “in Waiting room” and they will have no audio or video of the meeting.
Using ‘Remove’ will remove them from this meeting AND stop them re-joining it. However, they will still be able to join future meetings (including this one if it is a ‘recurring’ and/or run again). If you use this by mistake, there is a way of allowing them back in (sign in to Zoom via the web – Settings – Meeting – In-Meeting (Basic) – Allow removed participants to rejoin)
Lock the meeting
At any point, you can prevent any new participants from joining a meeting, even if they have the password.
Limit screen sharing to the Host (and co-hosts)
Either use the ‘Security’ button and turn ‘Screen Share’ on or off, or click the up arrow next to “Share Screen”, then click “Advanced Sharing Options”.
Under “Who can share?” select “Only Host” to make sure the meeting Host and co-hosts are the only participants who can share their screen.
You can also set this in your account settings …
Turn off access to Whiteboard
You can disable Chat completely or just Private Chat – that is chat between individual participants – so people can only chat with the whole room
It is important to remember that any user can download their chat logs (or simply copy and paste) before leaving a meeting. These logs will only contain messages that you could see, but not the private chat messages of other users.
Be aware that you are unlikely to experience Zoombombing or an abusive disruption. It doesn’t happen often (the risks increase if you are dealing with controversial issues and/or you publicise the Zoom link freely on social media – not recommended).
However, you should be prepared – just as people need to know about Fire Exits, even though you’re unlikely to experience a fire in a meeting venue.
Suspend Participant Activities
This allows you to quickly control or “shut down” the meeting – without having to actually end it.
Click on ‘Security’ button and then ‘Suspend Participant Activities’ …
You will see this …
and don’t waste time unticking ‘Report to Zoom’ (circled in red above). You can cancel this on the next screen, if necessary.
Everyone’s video and audio will be turned off, screen sharing will stop and the meeting will be locked.
If you want to report this to Zoom, there will be a screenshot, taken just before everyone’s videos were turned off.
If you don’t want to report this to Zoom simply click ‘Don’t report’
This is what gets shut down …
- Lock Meeting: no one else can gain entry
- Enable Waiting Room: second level of security and you can place people into it
- Hide Profile Pictures: these are normally displayed when a participant turns off their video. They could contain an image you don’t want people to see.
And no participant (except for Host and Co-hosts) can Share their Screen, Chat with anyone, Rename or Unmute themselves or Start their Video … until you allow them to.
In your own time, you can then, unmute yourself (so people can hear you), turn your video back on (so people can see you) and speak to the meeting and decide what steps to take next.
If the meeting does experience an abusive visitor read our section below “If Zoombombing Abuse Does Occur”.
One of the most important things to remember is that a Host can record a Zoom session, including the video and audio, to their computer. Therefore, be careful saying or physically ‘revealing’ anything that you would not want someone else to potentially see or know about.
Meeting participants will know when a meeting is being recorded as there will be a ‘Recording…’ indicator displayed in the top left of the meeting.
You cannot stop people taking screenshots of or recording your meetings
There are three ways people can record a Zoom meeting and you can’t do anything about the last two
- Using the Zoom “Record” button
- Using a program on their computer that records everything on their screen (which will include the Zoom meeting)
- Using a camera pointed at the computer
A similar situation exists, of course, for people taking screenshots/pictures.
Therefore, always assume that you may be recorded and act accordingly.
If you record a meeting, be wary of uploading it to a shared platform like an information sharing cloud that is open to other parties and particularly if it can be easily “shared” with other people.
Be aware that you are unlikely to experience Zoombombing. The risks will increase if you are dealing in controversial issues and/or you publicise the Zoom link freely on social media (not recommended).
Make sure you know how to lock a meeting down fast – see section above on “Handling a Major Disruption”
Acknowledgement: this section is from an excellent article in a set of excellent articles IT @ Cornell – Keep Zoom Meetings Private and Reduce the Odds of Zoombombing
You should be aware of the emotional impact online abuse can have. Imagery that shows the violation of basic human rights (of adults or children) or targets a community is deeply troubling and can be traumatizing. Re-traumatization of victims of sexual violence, assault, or discrimination is also possible. There is also a risk of inappropriate exposure to children who are in the home environment of the remote worker. If an event is intended a child audience, consider recording the program instead of having it live.
If online abuse does occur (regardless of audience), do not pretend that it didn’t and power through the meeting—or even advise participants to simply to look away.
End the meeting.
Then, follow up with the participants to:
- apologize for the abrupt ending;
- indicate what steps are being taken to prevent reoccurrence;
- express care and concern for the participants; and
- offer mental health resources that are available
My additional thoughts
On the meeting, acknowledge what has just happened and the seriousness of it.
Consider allowing people the space to express themselves – however, be aware that if the interruption was very serious, you may not be skilled or qualified to do this and may cause more trauma or escalate it.
Report the incident to Zoom
This short guide is meant to help anyone working in sensitive fields (such as political groups, journalists, or activists) or with marginalised groups better prepare/safeguard themselves and their online activities while using video conferencing software, especially the Zoom platform.