I know that Zoom has received a lot of criticism lately around their security and privacy failures. This has been a polarizing issue where those who love the platform are almost ignoring the issues while those who don’t like Zoom can’t seem to appreciate the things they do well. This post isn’t about those concerns but rather the way Zoom marketed their products to education without understanding the needs and ultimately set teachers and students up for failure.
Recap of the Issues
With all of the negative publicity and even a warning issued by the FBI, schools across the nation have been trying to figure out how to reign in all of the insecure defaults that were set by Zoom. When NYC Department of Education banned its use, it made sense that many people felt this was a dumb decision. The problem is there are a lot of weird things about K-12 education that few know about unless they work in the space, so I posted the following thread trying to help people better understand these nuances.
So that everyone’s on the same page, Zoom is giving free education licenses to teachers and school districts that are based on their Basic licenses but have had the 40 minute time limit removed and added everything necessary to make these compliant with FERPA. Many other vendors have done similar, and it’s both a wonderful gift as well as an opportunity to bring in new customers and sales once this is all over.
Unfortunately, their directions were very unclear, and especially for those without an IT managed approach, this created a lot of confusion on how accounts were created. While they did publish some best practices, the average person, teachers included, will not go looking for how to secure software – they assume it is already secure. Zoombombing was the result of using an easy to generate 10 digit Meeting ID with no password by default, and this exposed a lot of students to illicit content and also resulted in verbal threats of all kinds against teachers and students.
Zoom urged everyone to add passwords and enable virtual waiting rooms to vet people before bringing them in, but initially, this required the host receive this communication and change settings. Even after doing this, students started sharing the meeting ID’s and passwords online using #zoomcode and #zoomcodes, and it’s untenable to vet 40+ person classes. Some IT folks in education may have seen this coming, but Zoom and teachers managing their own accounts never would have anticipated this.
Zoom’s Best Practices Fall Short
It wasn’t until early April, several weeks after thousands of individual teacher accounts had been created, that Zoom published a “Comprehensive Guide to Educating Through Zoom” which addressed some of these shortcomings. They now recommend creating accounts for all staff and students, and then require authenticated users only along with changing a bunch of settings to create a safer meeting. Unfortunately, there are still many things wrong in this approach, and here’s a non-comprehensive list of concerns I see when thinking about school districts across the nation.
1) Zoom is assuming everyone has an IT person who can set up a tenant. For many schools, this isn’t the case, and teachers are simply creating personal accounts for themselves and their students. Even for those that do have IT, we’re lucky if the teachers sign up for the education account using their school email. They could address this with better onboarding.
2) Their “best practices” aren’t applied to education tenants by default. I’m not faulting them for this, but again, I want to point out that they expect someone to find their documentation and configure it in a way that is safe for student use. Businesses either have an IT person to do this or are small enough they don’t care. They could address this by setting defaults for education tenants differently than they do consumer accounts.
3) If we create accounts for students, this means they can now host meetings… with each other. There is no guidance on this, and the solution is so convoluted that I don’t think most would have come up with this. To prevent student to student meetings, you have to create a group for students, then set a locked policy for that group that only allows users from a fake domain to join. This means they can create a meeting, but nobody can join them. They could address this by adding a control for this (guidance is too easy to miss).
4) The product Zoom is providing is not the best option for large classes, but they aren’t communicating that. Teachers are trying to take teaching methods from a classroom and convert it to a digital medium. Webinars is the correct product for this use case, but that’s not free. I’m not saying Zoom needs to give this to us for free, but I am saying teachers need to understand they need to adjust how they teach with Zoom – and that’s not in their guidance. They could address this by working with educators who are leaders in remote learning to put out guidance.
5) Zoom has not said anything about their licensing model, but I am concerned. If we now have to provision accounts for all students to ensure safety, do we now have to pay for the education licenses for all of them when this is over (remember, Basic wasn’t FERPA complaint until upgraded)? Our pricing is roughly $9 per year, so that’s roughly a $420K spend for us… They could address this by making student accounts free – both Microsoft and Google do.
Zoom recently announced they have added an advisory board and brought on some awesome folks like Alex Stamos to help shore up security. These are great steps, but I am concerned the people in those groups don’t understand K-12 education. I know our educators love Zoom, but it needs to be safe to use and affordable. To be clear, there is no perfect solution in this market, and the offerings from Microsoft, Google, and others are still lacking certain controls or capabilities too. I would just like to see Zoom attempt to better understand and help K-12 education if they are going to pursue the market the way they have.
I love helping others understand the complexities that school districts face, and I think it’s good for all of us to realize that every sector and environment can be more complicated than we might think. If you have any questions, please feel free to hit me up on Twitter (@nathanmcnulty), or if you are in education, we’d love for you to join us on our OpsecEdu Slack (DM me or email us: firstname.lastname@example.org). Thanks!