by Katarina Klaric and Peter Diviticos
COVID-19 restrictions have resulted in schools using videoconferencing technology for meetings and class attendance. This has led to unprecedented technological challenges for schools and education departments to implement technological solutions which enable secure data access and connectivity between school councils/board of management, administrators, staff and students. The video conferencing service Zoom Video Communications (“Zoom”) has been adopted by many schools, although it was not designed as an education technology product. Further, schools are using Zoom without proper security risk assessment of the technology and adequate training of school council/board of management, administrators, staff and students, in the use of the technology, security risks and safety issues.
Student safety is paramount in the online learning environment. There have been recent cases where online classes have been interrupted by unwanted attendees causing graphic and inappropriate material to appear on students’ screens[i].
Remote education also gives rise to increased security risks associated with privacy breaches in the handling of personal information or data collected by private and government schools. Although the Australian and Victorian Privacy Acts do not prevent schools from operating from home remotely, compliance with the Australian Privacy Principles (“APP”) and the Information Privacy Principles (“IPP”) is still required during COVID-19.
School council/board of management, administrators and staff also need to ensure that confidential information relating to the school finances, administration, staff and teachers is not exposed to unauthorised disclosure, access or use, where meetings are undertaken using videoconferencing.
Schools need to assess and evaluate the risks associated with remote learning environments and consider whether security and safety measures for online education and meetings are adequate for the protection of confidential information and personal data, and the safety of their students.
Privacy Risks on Zoom
Recent media reports about the Zoom video conferencing services highlight some of the risks associated with the use of this technology:
- Check Point Research in its report identified security flaws in Zoom videoconferencing platform which allowed potential hackers to join the meeting uninvited or to listen in[ii];
- Zoom setups allow meeting participants to easily share meeting details with external parties. This flaw can result in security breaches and meetings being interrupted by unidentified persons known as “Zoombombers”[iii];
- Security flaws which have allowed on-line classrooms to be interrupted by uninvited guests “yelling profanities” and showing offensive material[iv];
- The inadequacy of the technical encryption offered by Zoom for the encryption of the video and audio data during transmission and storage when using Zoom video conferencing services[v];
- Security flaws which allowed hackers to take over a Zoom user’s computer including the webcam and microphone[vi].
Zoom has admitted that there are security flaws and privacy issues with its video conferencing services. Michael Chetner, Head of Australia and Asia Pacific, Zoom Video Communications, told Fran Kelly presenter of ABC Radio National that Zoom was designed for enterprise by large companies who have IT departments that can go through security measures and configure Zoom, so that it can be used safely. Zoom’s security and privacy flaws have been brought to the forefront with massive growth in the use of the service by individuals, consumers, small to medium businesses and schools as a result of COVID-19 restrictions. Since December 2019, Zoom users have increased from 10 million to 200 million worldwide in March 2020. Zoom has engaged cybersecurity experts to deal with the issues and were working with schools and the State and Federal governments to ensure that Zoom’ settings were configured properly to ensure the safety of children. Mr Chetner also emphasised the importance of proper security configuration of Zoom and education of users on how to use Zoom safely[vii].
Zoom has reacted to the above privacy concerns. In March 2020, Zoom updated their default screen sharing settings for Education accounts so that the host only, most likely a teacher, has the sole permission to share content within their meetings.[viii] This makes it less likely for “Zoombombers” to gain access to student’s screens.
In addition, the Policy states that Zoom only shares personal information about students with Zoom’s service providers, to the extent necessary to provide their services. However, until Zoom provides further information about the entities with whom Zoom shares the data that it collects when individuals are using Zoom and the countries in which these entities are located, there are potential data security and privacy risks that need to be addressed by schools using the platform.
It is important that schools implement appropriate risk management strategies to minimise the risk of personal data security breach and to protect their confidential information and ensure compliance with privacy laws. Some of the steps for consideration for videoconferencing:
- Schools should not use videoconferencing services for the school council/board of management, and other staff meetings where confidential and sensitive content is to be discussed without first ensuring that appropriate security configurations and/or encryption are implemented.
- Meeting participants prior to the commencement of the meeting should be reminded of their obligations to keep confidential content that is discussed until such time the school releases the material into the public domain. This should be confirmed in any minutes or record of the meeting that is circulated to participants.
- Undertake an assessment of the possible security and privacy risks and implement the appropriate measures to deal with these.
- Seek the assistance of IT or cybersecurity experts to implement the appropriate security configuration and settings including encryption for video conferencing.
- Educate and train school council/board of management, staff, students and parents in respect of features and functionality of the video conferencing service so that appropriate security and privacy configurations and settings are “on” before each conference session. Schools using Zoom should implement the best practice tips for securing virtual classrooms[xi].
- School council/board of management, administrators, staff ,students and parents should be regularly reminded that they should not share passwords, security codes or links that would allow uninvited guests to access the online class or virtual meetings.
- Provide school council/board of management, administrators and staff with appropriate training in relation to which discussions are appropriate on videoconferencing platforms, and those which are not.
- Implement and update appropriate security measures for the protection of confidential information/data, including controls such as encryption and password protection.
- Keep up to date in relation to any further security breaches on videoconferencing platforms. Useful resources for updates include:
- eSafety Commissioner
- Stay Smart Online – an online alert service which provides alerts on the latest threats and information on how to reduce the risk of cyber threats
- ACCC Scam watch
- Australian Cyber Security Centre (ACSC)
- Australian Cybercrime Online Reporting Network (Acorn)
The Office of the Australian Information Commissioner (‘OAIC’) has also published guidance for government agencies and private sector organisations to assist the entities regulated by the Privacy Act 1988 (Cth) to understand their obligations during the COVID 19 pandemic -“Coronavirus (COVID-19):Understanding your privacy obligations to your staff”. The OAIC guidance also includes some steps that agencies and organisations can take to protect personal information when working remotely.
Authored by Katarina Klaric and Peter Divitcos, 6 May 2020
© Copyright May 2020 — Stephens Lawyers & Consultants
Disclaimer: This update is not intended to replace obtaining legal advice
For Further Information contact:
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] Warren Barnsley, Georgia Simpson and Brittany Lane, ‘Coronavirus Australia: Queensland school children shown porn in hacking of Zoom online classes, 28 April 2020, Seven News, https://7news.com.au/lifestyle/health-wellbeing/coronavirus-australia-queensland-school-children-shown-porn-in-hacking-of-zoom-online-classes-c-1001128.
[ii] Kim Lyons, ‘Zoom vulnerability would have allowed hackers to eavesdrop on calls’, Ther Verge, 28 January 2020, https://www.theverge.com/2020/1/28/21082331/zoom-vulnerability-hacker-eavesdrop-security-google-hangouts-skype-checkpoint.
[iii] ABC News, ‘Coronavirus working arrangements have seen Zoom downloads soar, but some users are wary of security flaws’, 3 April 2020, https://www.abc.net.au/news/2020-04-02/coronavirus-sees-zoom-downloads-soar-but-fbi-warns-security-flaw/12113802.
[v] Micah Lee and Yael Gruer, ‘Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading marketing’ The Intercept, 31 March 2020, https://theintercept.com/2020/03/31/zoom-meeting-encryption/.
[vi] Kari Paul, ‘”Zoom is malware”: why experts worry about the video conferencing platform’ The Guardian, 3 April 2020, https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing.
[vii] Fran Kelly, ‘Video app “Zoom” criticised over security and privacy issues’, ABC RN Breakfast, 20 April 2020, https://www.abc.net.au/radionational/programs/breakfast/video-app-zoom-criticised-over-security-and-privacy-issues/12163500.
[viii] Zoom Video Communications, ‘March 2020: Update to sharing settings for Education accounts, https://support.zoom.us/hc/en-us/articles/360041591671-March-2020-Update-to-sharing-settings-for-Education-accounts.
[xi] Ryan Gallagher, ‘Best Practices for Securing Your Virtual Classroom’, 27 March 2020 Zoom Video Communications, https://blog.zoom.us/wordpress/2020/03/27/best-practices-for-securing-your-virtual-classroom/.