The following list contains user questions concerning the use of Zoom for teaching and learning purposes and corresponding answers provided by CityU’s Information Security Unit.
Q: User account credentials (e.g. passwords, Meeting IDs, etc.) have been posted on the dark web for sale: https://www.thestar.com.my/tech/tech-news/2020/04/08/hackers-post-hundreds-of-verified-zoom-accounts-on-dark-web
A: This is an issue for virtually all major software used online and not necessarily a security flaw, but a sign of hackers working hard to steal user accounts via various means (e.g., “credential stuffing”). Please search for instance
- http://www.digitaljournal.com/technology/1-billion-email-accounts-offered-for-sale-on-the-dark-web-for-1/article/464575 (email accounts)
- https://www.youtube.com/watch?v=cmmX2hb5liA (Facebook accounts)
- https://securityaffairs.co/wordpress/76997/hacking/whatsapp-hack-video-call.html (WhatsApp)
Q: Recent researches and reports stated that Zoom have many serious security and privacy problems, including leak of user information and misuse of data. Zoom also does not support end-to-end encryption for video and audio content despite its claim to offers "end-to-end encryption for all meetings". Research has found the potential privacy problem of Zoom, and widely reported by the medias. (e.g. https://research.checkpoint.com/2020/zoom-zoom-we-are-watching-you/).
A: CityU is of course well aware that Zoom had several security issues and we have been closely monitoring the changes made to Zoom in the previous weeks. We urge our CityU users to update their Zoom clients accordingly. Read your CAP messages, please!
Any video conferencing provider that carries out operations on the video signal such as compression or decompression likely needs to do this on non-encrypted data. Further detail on Zoom’s encryption can be found here https://support.zoom.us/hc/en-us/articles/201362723-Encryption-for-Meetings.
To note, CityU has from the beginning implemented its Zoom application much more securely than other institutions in Hong Kong or elsewhere, thereby avoiding many of the issues reported in the media.
Q: Google has already banned the use of Zoom: https://www.reuters.com/article/us-google-zoom/google-bans-zoom-software-from-employee-laptops-idUSKCN21Q32V
A: We do not know what drove Google’s decision making about Zoom. Google is also a competitor of Zoom. So it may be a strategic decision not to use the software offered by a competitor.
Q: Zoom CEO admits that encrypted keys were being processed through China's server even when all the participants in the meeting were abroad: https://www.techtimes.com/articles/248694/20200408/zoom-ceo-eric-yuan-aplogizes-to-the-public-and-its-users-for-security-problems-in-a-live-youtube-stream.htm
A: Most of CityU’s users are in China with many being located on the mainland right now. We use the mainland Chinese servers to connect to them. We are not sure what the question means by [encrypted keys], but are aware that Zoom offers encryption to improve data security. https://zoom.us/docs/doc/Zoom%20Encryption%20Whitepaper.pdf
To also note, Zoom issued a blog post in which it mentioned the routing through China was a mistake and that was addressed immediately by properly enforcing geo-fencing for backup servers during sudden usage burst. https://blog.zoom.us/wordpress/2020/04/13/coming-april-18-control-your-zoom-data-routing/
Q: New York City forbids schools from using Zoom: https://chalkbeat.org/posts/ny/2020/04/04/nyc-forbids-schools-from-using-zoom-for-remote-learning-after-privacy-concerns-emerge/
A: Sadly, many schools in the US and elsewhere (even in Hong Kong) were using the free version of Zoom which offers limited privacy protections to users. Essentially users trade some of their personal information for free access to the software services, just as Facebook, WhatsApp, Pinterest, or WeChat users do. If users do not pay money for the service, they pay by giving their information away. In short, users who are concerned about your privacy, should carefully consider the use of any ANY commercial social media, messaging, or email software that is offered “free”.
CityU obviously does not operate this way. We use an enterprise solution of Zoom, MS Outlook, and other software at significant cost to the university, but with protections for our students and staff.
Q: Anyone can "bomb" a public Zoom meeting if they know the meeting number, and then use the file-share photo to post shocking images or make annoying sounds in the audio: https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic
A: Organisations that use public Zoom meetings create security risks for their users. CityU online course sessions are not public (i.e., open to anyone) but require user identification and authentication.
Q: Leaks of email addresses and profile photos: https://www.tomsguide.com/news/zoom-may-be-leaking-your-email-address-what-to-do-now
A: The problem was found on 31 March 2020 and fixed by Zoom on 1 April 2020. The function is entirely removed by Zoom on 10 April 2020 to further contain the risk.
Q: Hong Kong University has stopped to use Zoom recently and started to use Microsoft Teams for the online class even the semester is nearly end. Will the school continue use Zoom in the following future and why?
A: This is by now an old and somewhat outdated story, as Zoom has made three significant revisions to its software since the emergence of security flaws that were reported in the press.
CityU has stopped using all older versions of Zoom and has adopted the newest software release. We have reminded all CityU users to replace their Zoom clients with the most updated version of Zoom.
We do not comment on the software choice by other institutions and may or may not agree with their choices. CityU’s implementation of Zoom has been from the start significantly more secure than that of many other institutions.
Q: Why did CSC choose Zoom at the first place while there are so many alternatives?
A: CSC was not the final decision maker in this process, but CSC carefully evaluated several software for their use in interactive online learning. There were few videoconferencing software able to tightly integrate with CityU’s Canvas learning management system (so as to provide needed security), while also offering enterprise level performance and worldwide availability. Only two solutions fulfilled all criteria, with Zoom providing better connectivity in areas with insufficient Internet.
Q: Will the school consider switching to another platform in response to serious privacy and security issues of Zoom?
A: We keep monitoring the situation carefully to provide CityU’s user community with a safe and effective computing experience. Many software products can create security issues. (For instance, Windows 7 is still used by many, although Microsoft will not provide any further patches to address security issues). CityU has no intention to switch to an alternate video conferencing solution for teaching and learning at this time.
Q: Will the school provide any guideline in using online teaching platform for the student and teacher to protect their privacy and security?
A: This website serves to inform CityU users on Zoom related security issues. Users are also asked to carefully read CityU CAP messages related to information security and to follow their guidance.
For further information on Zoom security, see also https://zoom.us/docs/en-us/privacy-and-security.html
The Office of the Provost has provided guidelines to teaching staff and their academic units concerning final examinations and has issued a guidance note for students. Individual units or staff may issue additional guidance depending on their unique examination situation.
Hong Kong, April 28, 2020