Zoom Security from the CSU Chancellor's Office

Posted on April 6, 2020

Dear CSU Colleagues:

As you know there’s been quite a bit of discussion both within the CSU and in the community at large related to Zoom. We’d like to offer our perspective on the real and perceived risks of Zoom.

Most CSU campuses have been using Zoom for several years now, and the overall degree of reliability, security, and user satisfaction has been high. With the rapid worldwide shift to remote learning and work, Zoom has had both unprecedented demand as well as heightened attention. On the plus side, Zoom has managed to scale within just a few weeks from serving about 10 million users a day to 200 million, with very few service or performance problems, and they deserve tremendous credit for this achievement. On the other side, the attention that they have received recently has exposed weaknesses and poor choices that had not been previously apparent, and that in some cases might have been addressed sooner.

Of these issues, the ease of entering a Zoom session – one of the reasons people like using it – has become a liability because of the rise of vandals entering and disrupting Zoom sessions, sometimes in extremely disturbing ways. Some students and faculty, including members of the CSU community, have been subject to actions ranging from merely obnoxious to highly threatening. We condemn these attacks, and we are working together with Zoom and with Zoom administrators and users across the system to provide tools and strategies to control who has access to a Zoom session so that we can reduce the risks of so-called “Zoom-bombing”.

The second set of issues that have been raised have to do with Zoom privacy and data security. Some of these issues, such as a data connection between Zoom and Facebook, have already been changed by Zoom based on the feedback they have received. We would point out that at least some of the issues apply to the use of the free version of Zoom; in the CSU, we have a contractual arrangement that personal data of any member of our community. We will continue to monitor this issue and advocate for the privacy of all CSU constituents.

Third, some have raised questions about the data security of Zoom. Based on our analysis, the risks posed by Zoom are similar to any software that we use – security errors get made, and when responsible companies are made aware of them, they address them. We do not believe that Zoom poses any special risks greater than other software that you use, and we note that Zoom has shifted their entire software development team to prioritize security over the next 90 days. While we can never say definitively that a piece of software poses no security risk, we believe that Zoom is a responsible company and that they are taking seriously the issues that have arisen under the heightened scrutiny they are currently facing.

Last, some have suggested that the ability to encrypt their sessions has been oversold by Zoom. While it was disappointing to learn that Zoom’s approach has weaknesses, we would point out that most of the tools we use to communicate on a regular basis – including email, phone calls, text messages, and learning management systems – have no encryption at all. Zoom’s encryption may be less than perfect, but we believe it offers a level of protection that’s more than adequate for most purposes we would make use of it in the CSU.

The move to remote instruction and remote work has been difficult and challenging, and at the same time we are all stressed by the need to stay at home, take care of our families, and deal with economic upheaval. On balance, as long as campus users have the information they need to use Zoom with appropriate safeguards, we don’t believe that it’s necessary for the CSU community to be concerned about communicating with Zoom. Most people have found Zoom to be a useful part of the solution for remote work and teaching, and our recommendation is that you continue using it, while being careful to apply good practices to protect your meeting from disruption. We will continue to work with your campuses as well as with Zoom to address issues as they arise, and if we identify something that would change our assessment, we will let you know.

Michael Berman, Chief Information Officer, CSU Chancellor’s Office
Ed Hudson, Chief Information Security Officer, CSU Chancellor’s Office