Update on Zoom Privacy Concerns

While Zoom is a powerful conferencing tool that offers excellent usability and rich features, recent press coverage has identified concerns about the platform’s privacy and security.

Given Columbia’s recent expansion of Zoom use, CUIT has taken steps to further examine our relationship with Zoom, the settings we can control, and to test the claims raised by the media in our own Zoom use. Here are the mitigations Columbia University has in place to address the concerns raised:

CUIT has updated the default setting to password-protect all Columbia Zoom meetings as of April 3, 2020. Additionally, with assistance from the Center for Teaching and Learning (CTL), CUIT has published guidance on how to moderate meeting participants. Using passwords and following the controls’ guidance will dramatically reduce the possibility of Zoombombing and allow our classroom and video conferencing sessions to run as smoothly as possible

Columbia’s contract with Zoom provides that Zoom does not own any meeting content, streaming or otherwise, and that Zoom is not permitted to sell Columbia’s data.

Zoom has indicated that there was a period of time where sessions could have been routed to servers in datacenter locations outside of the country, and that this was an unintended consequence of their rapid scaling for the unexpected growth in utilization. Zoom has stated they have corrected the issue and we can expect our traffic to be routed to US servers. CUIT has been performing tests during various times of day to validate Zoom’s claim that all sessions will now connect only to US servers. This is an ongoing effort and we will report to Zoom any issues or exceptions that we discover.

Some media reports have raised concerns about Zoom’s encryption scheme being substandard. CUIT has performed initial investigations and discussed the topic with a distinguished member of the Computer Science department, Dr. Steven Bellovin. Based on this research and analysis, CUIT believes that Zoom’s encryption methodology does not present a significant a risk to Columbia’s communications infrastructure that is different from the use of other technology such as phone calls. Our students and administrators can be confident that their discussions using Zoom (public/private/or confidential) are as secure as any phone call so long as they follow the practices outlined on the ”controls to use” portion of CUIT’s Zoom webpage and always utilize the latest version of Zoom client. Dr. Bellovin’s blog post on Zoom security provides an extensive exploration of this issue.

Zoom encrypts the data streams between their server and your workstation. Like any website that uses encryption technology, the vendor’s server can decrypt the stream for appropriate processing. By way of Columbia’s contract, Zoom cannot use, sell, or retransmit to a third-party any of the University’s meeting content (streaming or otherwise, encrypted or unencrypted) without consent. This encryption architecture, in conjunction with our contractual arrangement, satisfies the highest standards of privacy required at our University for our communications infrastructure.

As always, CUIT remains committed to the safety and security of the Columbia community and will not stop improving our environment even in this difficult time. Should our testing results or new credible information regarding any of our vendors become available, we will take the appropriate steps to mitigate any new risks.