McMaster currently has an institutional license for 2000 seats of Zoom for Education. Licenses are available on a first-come, first-serve basis to all faculty and staff (including graduate students). Licenses must be requested via the UTS ServiceDesk.
As with many collaboration platforms, Zoom offers HD Video and Audio, easy sharing of content, a digital whiteboard, accessibility functions and the ability to record meetings. Meetings can include up to 100 participants, and can last up to 24 hours.
Key advantages of using the zoom platform are the ability for people to join meetings using a telephone rather than needing a computer, the digital whiteboard, the ability to use break out rooms in a meeting, and the ability for people external to McMaster to join meetings easily. Zoom claims to be compliant with PIPEDA / PHIPA, and McMaster accounts only route traffic through Canadian data centres. However due to other security concerns (below), it is not considered an appropriate platform for sensitive data.
Zoom has had many articles written about its services recently. Many of these have focused on concerns over security. Whilst it should be noted that no video conferencing platform should be treated as ‘highly secure’, zoom does seem to have some special challenges in this area. Nonetheless, the ability to join meetings using a telephone, the high quality of video and audio, and the ease at which people external to McMaster can join meetings makes it a very attractive option where concerns around privacy and security are not a key consideration. It is also worth noting that whilst Zoom is currently receiving a lot of bad press, similar concerns have been raised about many other platforms over the last few months, and Zoom is responding to many of the concerns in a timely manner.
Ultimately, it is up to individual researchers to weigh the benefits and risks and determine whether it is an appropriate platform for a study. MREB and HiREB staff are happy to provide guidance.
For reference, the key concerns that have been highlighted about Zoom at the time of writing are:
Encryption: Whilst Zoom does talk about having 256-bit encryption, there have been questions raised about the way in which this encryption has been implemented, and it is worth noting that information is not encrypted on the Zoom servers themselves.
Storage: Recent reports suggest that in certain situations, recordings made by Zoom can be stored on a publicly accessibly cloud without the knowledge of meeting hosts.
“Zoom bombings”: If security settings for meetings are not properly configured, it is possible for uninvited guests to join meetings. In some situations, these guests have joined meetings with the intent of being disruptive, which could be very troubling for research participants or students.
Configuring a Zoom meeting
When scheduling a Zoom meeting, the following options are recommended:
Meeting ID: Generate Automatically
Meeting Password: Require a meeting password
Video: Both host and participant video should be set to ‘off’ initially
Audio: Both (unless data collection requires the use of video, participants should be given the option to join by telephone only). Select a Canadian dial in number to minimize accidental costs to participants.
Select the following ‘Meeting Options’
Mute participants upon entry (to protect the privacy of particpants)
Enable waiting room (to prevent uninvited guests)
Publicizing a Zoom meeting
When publicizing a Zoom meeting, to prevent unwanted guests and protect against ‘Zoom bombings’ meeting hosts should not publicize meeting details more broadly than is necessary. Where it is possible to simply email meeting details to participants, this is the recommended method. Where meeting details must be publicly posted, meeting hosts are advised to post password information separately from other meeting details, and are cautioned that Zoom includes (hashed) passwords in the URLs that it generates by default, which should be removed prior to posting.
Recording a Zoom meeting
Meeting hosts should be aware that with enough technical awareness, any participant in a video conferencing meeting (using any platform) has the ability to record the meeting without the hosts knowledge. Consenting processes should make this clear to all participants.
From the web interface, hosts should log into their account and then click on ‘my account’, ‘settings’, and click on the ‘recording’ tab. The following options should be set:
Local recording should be ‘on’
Hosts can give participants the permission to record locally should be ‘off’
Cloud recording should be ‘off’
Automatic recording should be ‘off’
IP Address Access Control should be ‘off’
Require password to access shared cloud recordings should be ‘on’
Auto delete cloud recordings after days should be set to ‘on’ with the time range set to no more than 7 days. This is just to ensure any cached recording files are deleted since you are going to be saving recordings locally.
Recording disclaimer should be set to ‘on’.
Ask participants for consent when a recording starts should be set to ‘on’.
Ask host to confirm before starting a recording should be set to ‘on’.
When recording a meeting, which is initiated from within the meeting client, select ‘Record on this Computer’ (recordings should not be stored on the Zoom cloud servers). Meeting hosts should be aware that even though you have selected a local recording, some caching of data may be done at the server to allow for the local recording. All participants should be aware that they are being recorded, and should have given their consent for this.