Zoom: Is it safe for schools?

A viral solution in the midst of a viral epidemic.

This post is part of a series of articles, blog posts, and short briefs produced by EXPLO Elevate focused on supporting schools’ virtual learning during the COVID-19 pandemic.

By Mark Greenlaw 

Mark Greenlaw is the Executive Director of EXPLO Elevate. Earlier in his career, Mark held leadership positions in the technology industry, including global Chief Information Officer for the multinational technology services company, Cognizant, and Vice President of Strategy and Impact at FIRST robotics.


When schools across the world were suddenly forced into distance learning due to the coronavirus pandemic, educators everywhere flocked to a number of different video-conferencing and content sharing platforms, such as Zoom, Google Hangouts, GoToMeeting, Webex, and BlueJeans Network. Schools value these tools since they allow for direct interaction with students, enabling synchronous work, seeing students faces, and creating community by bringing a class or a club together virtually.


Zoom, which has been a favorite platform in the corporate and non-profit world for a number of years, quickly became the tool of choice for many schools, in part due to its ease-of-use, the fact that many schools already used it for administrative calls, and because Zoom offered it free to educators during the pandemic. Zoom usage skyrocketed across a multitude of communities: teachers began using it for distance learning, churches for services, families to stay connected, and Zoom cocktail hours and birthday parties began popping up all over the place.  Zoom’s stock price tripled, and it became everyone’s darling. At Exploration Learning, having used nearly all these video conferencing platforms, we’ve found Zoom to be the most reliable and easy-to-use – and we are clearly not alone, which is why the product commands a 39% market share, according to one report. In fact, we use Zoom heavily in each division of our organization.


With this massive spike in usage and attention, the infatuation with Zoom suddenly started to wane.  Reports of “Zoombombing” – a term used to describe when an unwanted participant joins and disrupts the call – began to surface. Privacy issues sprung up when it was reported that Zoom user information on the iOS platform was being shared with Facebook. And with the global surge of users, hackers began to look for ways to exploit the service, and successfully found a number of security flaws. Hackers tend to spend their time trying to break into things that are used broadly, so in a sense, Zoom’s success led to this unwanted attention and scrutiny by bad actors..


The press started learning of these issues and articles began to appear in the New York Times, CNET, and other tech publications about these security flaws. Then the NY City Department of Education banned Zoom, as did several companies in the corporate world. Zoom’s CEO, Eric Yuan, attempted to respond to these concerns, but made several missteps.  The company is now doing better at addressing these worries, but school leaders have been asking us: “Is it safe to use Zoom?”

Risk vs. Reward

As is often the case in weighing uncertainties around information security, it comes down to analyzing the trade-off between risk and reward. As a former Chief Information Officer at a multinational corporation, I frequently had to assess the security risks of software, balancing the concerns of my knowledgeable and risk-averse information security staff with the needs of the organization.  After conducting deeper research on the challenges facing Zoom and other platforms, and talking to several IT leaders in our network, we want to share our take on this issue.


First, we need to acknowledge that there were and still continue to be flaws in Zoom’s security and privacy stance. They have moved quickly to make numerous changes to the platform, and recently announced a freeze on all new non-security related changes to the platform so they can exclusively focus on the security issues.  They’ve already addressed two of the biggest issues: first, all meetings now default to requiring a password. This prevents hackers and pranksters from finding the meeting ID, or guessing at it, and joining without permission with an intent to hijack the meeting or steal information – this is known as Zoombombing.  Second, they’ve removed the meeting ID from the meeting window. Many people were capturing screen images of meetings and sharing on social media, and with knowledge of the meeting ID, hackers could use the screenshot to disrupt the meeting.


But several other issues still exist. Some claim Zoom is sharing and selling information about its users. Its CEO has denied this accusation, but oddly their privacy policy does not explicitly state they will not share user data. Second, Zoom is using a lower encryption level (AES-128 encryption vs AES-256) than initially disclosed for a portion of the information it transports. This is mainly important to those in industries such as defense or financial services who are communicating high-value information. Finally, the way the Zoom installer works circumvents some of the normal security controls on Windows and Mac computers. It is reported that this may create an opening for hackers to hijack a user’s computer.

Should Schools Stop Using Zoom?

Given these issues, should a school stop using Zoom? In our view, each organization needs to balance the risk with reward. Many technologies we use have inherent risk. Email is one of the best examples. One of the most likely ways a hacker can compromise your network or steal your private information is through a spoofed email. They send a nefarious link that encourages the user to sign-into a false site, enabling the hacker to steal your credentials to breach your account (called phishing). And if you use the same username and password across many accounts, the hacker may gain access to all these. Despite widespread use of tools and training in organizations to prevent breeches, they happen regularly in many organizations.  Yet we still use email, because the benefits outweigh the risk.


In the case of Zoom, if your organization was a user prior to the pandemic, or you had no other platform and quickly adopted Zoom, it likely makes sense to stay with it. If you follow established Zoom best practices, as identified below, the likelihood that someone will hack your computer via Zoom or tap into one of your calls is extremely low. 


We are not alone in this view. Brian Feldmen wrote in a New York magazine article, “The documented security flaws of Zoom would require a high level of targeting and precision to fully exploit. This isn’t the sort of lax security that could lead to catastrophic widespread data leakage; it’s the sort of lax security that leaves high-value individual targets vulnerable.” 


Those in an industry or organization where highly sensitive and valuable information is being shared (aerospace, defense, government, political campaigns) should be using a more secure platform, and also employing additional encryption tools. Additionally, very large organizations, with tens of thousands of users, may consider alternatives simply because these organizations may be highly visible and valuable targets for hackers. This may explain the NYC DOE’s decision to discontinue Zoom: being the largest district in the U.S. with 1.2 million students, they could be a prime target. 


Interestingly, a contrarian view has emerged: with all the scrutiny from security and privacy experts, Zoom will quickly become the safest platform to use, since other video platforms are not having to tighten their security stance in the same way Zoom is being forced to do.

Bottom line:

Schools that are finding value in using Zoom to connect directly with students should feel safe in continuing to use the platform. IT heads at those schools should be conducting user training on the ever-evolving Zoom best practices, similar to how they train users on safe and appropriate use of other technologies. 


Zoom Best Practices