Zoom, privacy, and security

This is a note to my patients about privacy and security of the Zoom app and other related issues.

In the Covid-19 crisis, I am currently using Zoom as my platform for telemedicine. I initially used my health record’s system for video appointments, but I switched to Zoom for several reasons: (a) a few patients found the system difficult to access; (b) the call quality was not as good as I had hoped; and (c) it was difficult to record sessions, for people who have given me permission to do that.

Zoom has been a leader in video conferencing for some times and I have many colleagues who have used and are using it. They uniformly report that its call quality is better than alternatives. With the Covid-19 crisis, Zoom’s “moment” has arrived, and I have been impressed with their agility in meeting a massive increase in demand.

With their moment in the sun, they are understandably facing a high degree of scrutiny, and some of their practices have been questioned. Most of these questions are legitimate and deserve to be answered. I believe that Zoom is making a good-faith effort to do so. They have been changing policies and standards in a way that enhances privacy and security, with praise from independent sources for their efforts.

I have looked at these issues and I believe that none of them posed or is posing a risk to the security of what happens during my sessions with patients. I will continue to monitor the situation, but for the moment I will continue to use Zoom. In fact, I believe that the increased scrutiny that Zoom is facing will enhance patients’ security, because no one will be looking as closely at alternative providers for potential security issues.

Please let me know if you are not comfortable with my continued use of Zoom in your case. I am willing to try out alternatives on an individual basis, with the understanding that we may be trading off a possible increase in security for things like decreased call quality or convenience.

Most of my patients are comfortable using email to communicate about scheduling sessions, even though email is not a 100% secure medium. I imagine most of my patients do not take extraordinary measures to block websites from using “cookies” that track them around the web, which result in personalized advertising. And I’m sure all of my patients would not want any identifiable contents of our sessions to be available to anyone, unless they had given explicit permission. If all of that is the case for you, I am confident that my current system meets those standards. If this describes you, great. If it does not describe you, please let me know, and I will work with you to further enhance your privacy and security.

Unless you are very careful about people tracking your everyday web browsing (and I am not), I imagine that, like me, you have had the experience of looking at a product—or even buying a product—and being followed by ads for that or similar products for some time afterwards. I am confident that none of what you and I actually say during a session will be used by Zoom to target advertising or shared in any way. But if you have Zoom account and want to further decrease their use of cookies related to advertising, there are some instructions at the end about how to do that.

Otherwise, the rest of this post gives more detail on potential issues related to Zoom and to how I deal with recordings of sessions.

“Zoombombing”

The first issue that hit the news was the practice of “Zoombombing”: people showing up in meetings, and either saying offensive things or showing offensive images. Because our “Session IDs” (10-digit numbers identifying the session) are not available to the public, and because I use passwords, I was not concerned about this as a problem for me, or for most other therapists. Zoom has since made passwords the default.

I have been more concerned about the possibility of two patients inadvertently showing up on a therapist’s screen at the same time.

This cannot happen in our sessions. Because I have been using the Zoom “Waiting Room” feature, no one can enter our session unless I specifically let them in. If you are in the session, I will not let anyone else in, period. Zoom has since made the use of the Waiting Room the default. (In addition, I do not believe anyone else will even appear in the Waiting Room while I am in session with you because I am using different Sessions IDs for each patient, and using passwords.)

Zoom recordings becoming public

The Washington Post has reported recently on Zoom conversations, including at least one therapy session, being stored “in the cloud” in ways that could be accessed without a password. This is not a Zoom issue, it is apparently an issue with Zoom users not being careful with their recordings.

Zoom itself does not record sessions unless you use their “cloud recording” feature. I have disabled that feature on my account, so I can’t do that even by accident. When I do make a recording on my computer, I store it securely on an encrypted drive and I am careful to keep it secure. Nothing is 100% in this world, but I am confident in the steps that I have taken to keep your recordings safe.

Unless you and I have explicitly agreed that I can record your sessions, I will not do so, except occasionally by accident. That hasn’t happened yet on Zoom, but it happened occasionally in the office simply out of habit, because I record so many sessions. When it did happen, I would immediately stop the recording and later shred the DVD. If you see a red dot and an indication that I am recording when I should not be, please let me know immediately and I’ll stop, and securely delete whatever I have recorded. Even if you don’t notice, I will notice right after the session when I go to file the recording and see that there is no place to file it. I will then delete the recording securely, and let you know about my error.

Sharing video with you

Some patients benefit from viewing recordings of sessions. In the office I would make a second DVD and hand it to the patient in the waiting room after a short wait for the DVD to “finalize.” Obviously, it is important for patients to keep the DVD private after receiving it.

The system I am now using for sharing video is this: if you would like me to share video with you, I will create a Google drive folder that I will share with you. After each session to be shared, I will place the session’s video in our shared Google drive folder. I recommend that you copy it out of the folder, and then delete it from the folder so that it is “in the cloud” for the shortest period of time. This method of sharing is encrypted, so only someone with your Google password (or mine) could access the recordings.

Once you have the file, it is important you store it securely. The most secure way to do it would be on an encrypted (and therefore password-protected) thumb drive or SD card that only you know the password to.

There are other options for secure file sharing, so if you want me to share video with you but are not comfortable with this procedure, please let me know.

Disabling Zoom advertising cookies

The following information was provided by my colleague Johannes Kieding. Although I do not generally worry about advertising cookies, I did test out the browser instructions. They seemed to work, and it would have been a challenge to figure out how to do it without this kind of careful guidance, so I am grateful for these instructions. Please note that they apply only if you have a Zoom account, but it is not necessary to create a Zoom account in order to use Zoom for appointments with me.

The instructions are as follows:

“When you set up a Zoom account and agree to the terms of service, you give Zoom permission to place cookies on your device.

“Some of these cookies are required to enable core site functionality. Some of these cookies allow Zoom to analyze site usage to improve performance. Some of these cookies track your web browsing and sell your personal information to advertisers who then serve targeted ads relevant to your interests. You are given an anonymized identifier so the profile that contains your personal information cannot easily be linked to your actual name and real identity.

“Tracking in the service of providing targeted ads is a common practice on most commercial websites. Many people are OK with trading some personal privacy for services like gmail and Facebook.

“However, Zoom offers users the choice to opt out of being tracked and having their personal info sold to third parties while using Zoom services.

Johannes gives some instructions on how to change the settings from different devices. My understanding is that if you change the setting on any device, the changes should apply to all devices you use to access your account.

On your desktop browser

“To opt out of having your web browsing tracked and your personal info sold by Zoom to third parties go to www.zoom.us. If you have third party tracker blockers installed in your browser disable those first.

  1. Log into your account.
  2. Scroll to the absolute bottom of the page and click the tiny link “Privacy and Legal Policies.”
  3. You will see “Legal” and “Privacy” near the top of the next page. Click on “Privacy.”
  4. Scroll down until you see a box entitled “Cookies”. Click on the “Cookie Policy” link in that box.
  5. Scroll down to the very bottom of that page and click on the tiny link “Do Not Sell My Personal Information.”
  6. The default option is “Required Cookies / CCPA Opt-Out,” so you can just click “Submit Preferences.”
On your iPhone or iPad

“To opt out of having your web browsing tracked and your personal info sold by Zoom to third parties using the iOS Zoom app, launch the iOS Zoom app on your iPhone or iPad and make sure you are logged in.

  1. Tap Settings in the lower left corner.
  2. Tap “About.”
  3. Tap “Privacy Policy.”
  4. Scroll about a third of the way down the Privacy Policy Page until you see a blue link for “Cookie Policy.” Tap that link.
  5. Scroll down to the bottom of that page and tap the tiny link at the very bottom “Do Not Sell My Personal Information.”
  6. The default option is “Required Cookies / CCPA Opt-Out,” so just scroll down and tap “Submit Preferences.”

“I do not own an Android device so I cannot be specific about using the Android Zoom app to opt out, but I imagine the Android user interface is similar enough to the iOS user interface that the above directions would be a good guide.