Zoom usage raises questions about student data, security

by Coalter Palmer | 10/2/20 2:05am

zoom
by Naina Bhalla / The Dartmouth Senior Staff

Since the beginning of the pandemic, the video-conferencing platform Zoom has dominated higher education, with many colleges and universities adopting the technology as a temporary substitute for in-person instruction. Though Zoom allows students to remain connected to their academic experience, as well as with family and friends, the wide-scale adoption of the platform has raised questions around student data and privacy.

College holds access to student Zoom data, engagement

Dartmouth adopted Zoom for general video calling in 2017, choosing the platform for its convenience, according to chief information officer and vice president of information, technology and consulting Mitchel Davis. 

“[Zoom] was easy to use, it was more intuitive [than other platforms] and it didn't require a lot of setup or training. So it took off, and when the pandemic came, it was a no-brainer to go with Zoom,” Davis said.

When the pandemic hit, the platform’s ability to be scaled up quickly allowed ITC to increase the Zoom download rate within the Dartmouth community from 40% in early March to 100% by April, said James Goodrich, who works at ITC as a video specialist and is the owner and administrator of Dartmouth’s Zoom account. According to Goodrich, in the month of September, Dartmouth’s Zoom network hosted more than 75,000 meetings, with approximately 350 meetings running simultaneously at any given time on an average business day. 

According to Goodrich, statistics on live usage appear on Zoom’s administrator dashboard, a tool that Zoom’s website describes as allowing administrators to access information “ranging from overall usage to live in-meeting data.” Among the data accessible to the College, according to Goodrich, is information on who participates in a call, the type of device used by call participants and where any recordings of the call are saved. If recordings are saved to the cloud, Dartmouth administrators can access them if necessary. Goodrich noted that while administrators do have access to these data, they do not view them.  

“The administrator can see those recordings if they need to or want to. But there are only a couple of people that can do that. And believe me, we're not checking recordings, unless somebody asks us to go find something for them,” Goodrich said, offering “Zoombombing” as an example of an incident that the office might look into.

Sean McNamara, senior director of information security at ITC, added that there is a “strict policy and procedure” in place that ITC must follow before it is allowed to access and work with “user-generated data” like cloud recordings.

Although the video recordings remain stored until deleted by a host or an administrator, ITC is currently working on a “retention policy” that will outline how long recordings can be kept, Goodrich said.

“If we wanted to go into big brother mode, we could figure out not only who was tuned in, and who had their video on, but we could go in and find out if Zoom was the active window during a lecture.”

According to Thayer School of Engineering associate dean of undergraduate education Douglas Van Citters, the engineering department has given Thayer School Computing Services “centralized administrator access” to Zoom data on Thayer classes, meaning that Thayer Computing has access to data such as chat logs and transcriptions of video recordings. Van Citters also said that professors used to be able to view data on user attention — a metric of how often Zoom users had the application open as their active window — but said Zoom discontinued this feature in early April.

“If we wanted to go into big brother mode, we could figure out not only who was tuned in, and who had their video on, but we could go in and find out if Zoom was the active window during a lecture. But we [chose] not to do that. Because that, in my opinion, is actually a violation of the honor code,” Van Citters said, referring to the period before Zoom discontinued the user attention feature.

Van Citters, who was involved in an effort at Thayer this spring to assess educational quality and to increase student engagement, said that instead of “big brother mode,” he has chosen an “opt-in approach” that involves surveying students on their experience with remote education and working with experts to analyze the results and use them to adjust how educational material is delivered. 

He said that he has found success with several strategies, including splitting students into smaller groups, keeping continuous lectures under an hour and offering lectures in 15- to 30-minute asynchronous blocks.

Van Citters added that, like Zoom, Canvas offers an analytics dashboard viewable by administrators and professors. Canvas’s statistics, he said, include information about the amount of time a student spends on a certain page, for example.

“The bottom line is that we live in trust. We absolutely have to trust each other, and that bidirectionality means that we're doing our best not to check up on students from a big brother perspective,” Van Citters said. “And we want to check up in a way that ensures that students are giving us the feedback that really matters.”

McNamara added that because ITC has an enterprise license with Zoom, the platform itself is restricted in how it can use the data it collects. While McNamara said that Dartmouth’s license does include provisions for Zoom to use data to improve company services and “aggregat[e] statistics for business purposes,” he said that these stipulations would be included in “any contract.” 

On the free version of Zoom, according to McNamara, Zoom may be “mining” users’ data — selling it or using it for advertising. However, McNamara said that this is not a concern on Dartmouth’s enterprise platform.

Maureen Hennigan, who acts as ITC’s senior director of service strategy and design and works on many of these enterprise contracts, said that data protection is a primary consideration when these agreements are negotiated.

“For us, it's very important that we are always looking at both the privacy of the student and what's also very important is, from the faculty perspective, their intellectual property. So we take data concerns very seriously,” Hennigan said, adding that her office works very closely with McNamara and the Office of General Counsel on all contracts with outside vendors.

Foreign hackers wage intrusion attempts

According to McNamara, Dartmouth faces a constant stream of attacks from foreign entities attempting to hack Dartmouth and its networks, and ITC and its security systems must work to combat these threats. Widespread adoption of Zoom poses the risk of attracting additional malicious attacks, according to V.S. Subrahmanian, computer science professor and director of Dartmouth’s institute for security, technology and society.

“It's possible that the pandemic, which saw the widespread adoption of Zoom, has spurred attackers to say, ‘Hey, here's this new platform that everybody's using all of a sudden. Let's see what vulnerabilities it has,’” he said.

McNamara said that Dartmouth already sees at least 100,000 intrusion attempts each day through the internet, often from “military-trained nation state actors.” He noted that while ITC has a “fairly good toolset” and “well-trained engineers” to combat these attacks, even these resources do not entirely eliminate the possibility of an intrusion. He added that if a server were to be hacked, the first goal would be to limit the impact of the incident, then to eliminate the threat, then to assess the damage and move forward.

Subrahmanian said that reports of foreign hackers breaking into American institutions are widespread, although he noted that he was not aware of any attacks on Zoom networks.

“Most of the reports of hacking have been for the theft of intellectual property or the acquisition of data, which may or may not constitute intellectual property. And those are likely used for intelligence purposes, the state and for economic value,” Subrahmanian said.

According to Subrahmanian, if foreign actors were to gain access to Zoom data through hacking efforts, that data could potentially allow adversarial states to build a detailed “social map of who knows who in our country.” He added that by creating a social map, machine learning could try to predict things such as whether an individual handles security clearances, works on secret projects or works on projects related to specific, high-priority scientific disciplines.

Subrahmanian also said that he sees the risk of malicious actors  gaining access to Zoom call recordings or other Zoom data or being able to steal products or techniques in their early stages of development.

“That's the kind of risk that I think we need to worry about: the ability to grab very, very initial, unprotected scientific and engineering advances and to develop it on their own,” Subrahmanian said.

Correction appended (Oct. 7, 2020): A previous version of this article indicated that recordings of Zoom calls made on the Dartmouth server were automatically uploaded to the cloud. The article has been updated to reflect that Zoom recordings can be saved to the cloud or to a device, and Dartmouth can only access recordings on the cloud.

Advertise your student group in The Dartmouth for free!