UC Berkeley Tips on  Zoom Security and Privacy

UC Berkeley’s Zoom service may only be used for P3 (and below) data according to the Berkeley Data Classification Standard and may not be used to transmit or store P4 data including, but not limited to: Social Security numbers, financial account numbers, or export controlled data. Refer to the Data Classification Standard for a comprehensive list of P4 data types.

This applies to video and audio transmission of data in Zoom meetings, and storage of data via Zoom cloud recordings.

Zoom HIPAA accounts(link is external) may only be used to transmit HIPAA data (e.g. telehealth sessions). Zoom HIPAA accounts may *NOT* be used to transmit other P4 data.

1. Keep Zoom Up-to-Date

Zoom is continuously releasing new and improved features for their application. Therefore it is important that you have the latest version installed.

To update through the desktop-client:

  • Open the Zoom application on your system and select “Check for Updates…” from the zoom.us drop-down menu

To download and install new versions through the Zoom site:

Note: depending on how Zoom was initially installed on your device an admin password may be needed to install updates. Contact ITCS itcsshelp@berkeley.edu(link sends e-mail) or your departmental IT staff for assistance if your system prompts you for admin credentials.

2. Prevent Zoom-bombing

Zoom-bombing is the term for when individuals “gate-crash” Zoom meetings. These uninvited guests share their screens to bombard real attendees with disturbing pornographic and/or violent imagery.

If you experience abuse while using Zoom report it to: zoom-misuse@berkeley.edu(link sends e-mail).

2.1 Avoid Hosting Public Meetings

If you share your meeting link on social media or another public location (like a public bCal invite) anyone with the link can join your meeting. Here are some tips you can use to help when needing a public meeting space:

  • Do not use your Personal Meeting ID(link is external) (PMI) to host public events. Your PMI is essentially one continuous meeting and people can pop in and out all the time. Learn about meeting IDs(link is external) and how to generate a random meeting ID (at the 0:27 mark(link is external)) in this video tutorial(link is external).
  • Familiarize yourself with Zoom’s settings and features. Understand how to protect your virtual space. e.g., use a Waiting Room(link is external) (additional details on that below). The waiting room is a helpful feature for controlling attendees.
  • Password Protect your Zoom Meetings. You can require not just the Meeting ID but also a password to join your Zoom Meeting. You can require a password(link is external) for new meetings, instant meetings, PMI meetings or even phone participants. You can also choose not to include the password in the meeting link.
  • Avoid ‘Join Before Host.’ The Join Before Host(link is external) option allows meeting participants to join your meeting before you, as host, start the meeting. It is best that you join first so that you can see who is attending. If you must use the ‘Join Before Host’ option, you should assign a password to protect the meeting.

3. Manage Security Settings

Security icon(link is external)Zoom’s security features, which had previously been accessed throughout the meeting menus, are now grouped together and found by clicking the Security icon in the meeting menu bar on the host’s interface.

Zoom security button

You can also lock the Screen Share by default for all your meetings in your web settings.

Screen Sharing

4. Manage your participants

4.1 Allow only signed-in users to join

If someone tries to join your event and isn’t logged into Zoom with the email they were invited through, they will receive this message:

Denied Screen

UC Berkeley’s Zoom instance has been configured to allow *.berkeley.edu users who are authenticated in when this setting is selected.

4.2 Lock the meeting:

When you lock a Zoom Meeting after it has started, no new participants can join, even if they have the meeting ID and password (if you have required one). This setting can be found via the security icon in the settings bar.

4.3 Set a password: 

Meetings and webinars can require passwords for an added layer of security. Passwords can be set(link is external) at the individual meeting level or enabled at the user, group, or account level for all meetings and webinars. Instructions on setting passwords

4.4 Remove unwanted or disruptive participants:

From the Participants menu, hover over a participant’s name, and several options will appear, including Remove.

  • When you do remove someone, they can’t rejoin the meeting. But you can toggle your settings to allow removed participants to rejoin, in case you remove the wrong person.
  • Alternatively, you can put each participant on a temporary hold, including the attendees’ video and audio connections. Click on someone’s video thumbnail and select Start Attendee On Hold to activate this feature. Click Take Off Hold in the Participants list if/when you’re ready to have them back.
  • Hosts can turn participant’s video off. This will allow hosts to block unwanted, distracting, or inappropriate gestures on video.
  • Hosts can mute/unmute individual participants or all of them at once. Hosts can block unwanted, distracting, or inappropriate noise from other participants. You can also enable Mute Upon Entry in your settings to keep the noise down in large meetings.

4.5 Turn off file transfer: 

In-meeting file transfer allows people to share files through the in-meeting chat. Turn this off(link is external) to keep the chat from getting unwanted content.

4.6 Turn off annotation: 

You and your attendees can doodle and mark up content together using annotations during screen share. You can disable the annotation feature(link is external) in your Zoom settings to prevent people from using it.

4.7 Disable private chat: 

Zoom has in-meeting chat for everyone or participants can message each other privately. Restrict participants’ ability(link is external) to chat with each another during your meeting. This prevents anyone from getting messages during the meeting.

4.8 Use a Waiting Room:

When attendees join a meeting, place them in a waiting room and require the host to admit them individually. Enabling the waiting room automatically disables the setting for allowing attendees to join before host

Meeting hosts can customize Waiting Room settings for additional control, and you can even personalize the message(link is external) people see when they hit the Waiting Room so they know they’re in the right spot.

5. Secure Zoom Recordings

On occasion, you may need to record the audio and/or video of a Zoom meeting to share with others. It’s important that these files are stored appropriately according to the protection level of the data captured in the recording.

5.1 Local Recordings

The UC Berkeley Zoom team recommends using local recordings by default. Local recordings are the most cost effective and afford you the most flexibility afterwards.

Enabling local recordings:

You can enable local recordings and configure settings by signing into the Zoom web portal. See the “For your own use(link is external)” section in the linked support article.

Sharing local recordings:

Local recordings may be uploaded and shared(link is external) using the following campus collaboration tools:

NOTE: When using these collaboration tools, you may only store and share Zoom recordings containing P1, P2, or P3 data according to the Berkeley Data Classification Standard.

5.2 Cloud Recordings

The only time you may want to consider using the “Record to the Cloud” option is if you want to temporarily (90 days) make recordings available to others to download or stream directly from the Zoom Cloud. Cloud recordings auto-delete after 90 days. If you use cloud recordings you must secure them (see instructions below).

Recording to the cloud: Read this support article on how to record to the Zoom Cloud(link is external)

Note: Zoom Cloud recordings may be found by others due to the default naming conventions Zoom uses.

5.2.1 Enabling authentication options:

To prevent your cloud recordings from being discovered publicly, you must enable the “Only authenticated users can view cloud recordings(link is external)” option under your user/account “Recordings” settings.

Once authentication options are enabled (via the blue toggle button), there are two ways to control who has access to your cloud recordings:

  1. UC Berkeley Domain — use if all users in the *.berkeley.edu domain should have access to your cloud recordings
  2. Signed-in users in my account —  use if only you, the account holder, should have access to your cloud recordings

5.2.2 Password-protection of cloud recordings:

“Require password to access shared cloud recordings” is the default setting on all accounts. This means password protection will be enforced for shared cloud recordings. A random password will be generated which can be modified by the account holder. This setting has been automatically applied to recordings made after Apr. 12, 2020.

If your account has the “Only authenticated users can view cloud recordings” activated, the viewer will be asked to log in with both a CalNet ID and with the recording password. You can turn off the “authenticated” feature on individual recordings and activate the password protection, then the viewer will not have to log in with a CalNet ID but will need to enter the password.

Be aware: Although you can turn off the “Require Password” and “Only authenticated users can view cloud recordings” options, the recordings are not secure and will make them publicly accessible. We recommend using one or both options unless your recording is intended for public use.

Source: https://security.berkeley.edu/resources/cybersecurity-and-covid-19/settings-securing-zoom


Leave a Reply

%d bloggers like this: