Remote Teaching Tools: Privacy and Security Concerns

Dear Colleagues,

The Academic Senate has been engaged in conversations with the Office of Information Technology about the privacy and security of remote teaching tools, particularly for our international students. Below please find the latest information we have to share.

Sincerely,

James Steintrager, Chair

Academic Senate, Irvine Division

Executive Summary

Recent revelations of gaps in Zoom’s privacy and security, as well as its cooperation with the Chinese government to censor meetings and suspend user accounts, have negative implications for academic freedom and cast a shadow on its fitness for use as a distance learning platform. In light of consumer pressure, Zoom has announced a 90-day plan to implement security and privacy features that equal or exceed its competitors. However, the risks to academic freedom associated with the use of Zoom or any other distance education platform cannot be completely eliminated. All major distance learning vendors will comply with foreign government requests for data. Student accessibility to platforms blocked by China’s Internet border controls may result in performance and usability issues.

Situation

Recent admissions by Zoom that it censored conference calls and suspended user accounts at the request of the Chinese government as well as routed unencrypted data through mainland China and Hong Kong servers have created concerns in the academic community. The concerns include that Chinese students living and learning in China may be surveilled and put at risk if exposed to content deemed sensitive or unapproved by the Chinese government and/or that content may be censored by the Chinese government. This provokes two questions: 1) What features of distance learning services protect academic freedom and the safety of students learning outside of the U.S. and 2) Are any of them better than Zoom?

Background

The swift move to distance learning tools in the U.S. resulted in the adoption of streaming conferencing technologies that had not been intended for the purpose of teaching and learning. Their ubiquity, ease of use, and relatively low cost made them appealing for educational institutions that needed a quick answer. However, privacy and security concerns have arisen as their use has proliferated.

Faculty around the U.S. have expressed concerns with distance education platforms, specifically Zoom, compromising academic freedom and potentially the safety of foreign students, particularly those currently living and learning in China. Most notable was an open letter which was written by Jim Millward, a Georgetown University professor of Chinese history. This was published in the wake of Zoom’s recent admissions of cooperation with the Chinese government.

In response to these concerns, Zoom published a 90-day plan to address trust, safety, and privacy issues. Per their update on July 1st, these increased security measures included upgraded data encryption, default security configurations, and the ability to turn off data routing through China and Hong Kong (something UCI configured when it was first announced). End-to-end encryption (E2EE) is expected to be delivered before the end of July for beta testing and released for general use soon thereafter. This feature is a method of secure communication that prevents third parties from accessing data as it is transferred between two ends of the data connection. For Zoom, that means the data is encrypted between the Zoom software client or web browser and the Zoom cloud server. This is similar to how other distance education platforms implement E2EE.

With these changes, Zoom will have security and privacy features comparable to other distance education platforms such as Microsoft Teams and Google Meet. However, to what extent do any of these platforms enable or preserve academic freedom?

Assessment

Preventing, or at least minimizing, the infringement of academic freedom at a technical level means that a digital education platform should address several key security features. OIT has developed a comparison of major distance education platforms that can be used for synchronous and asynchronous lectures using publicly available information.  This comparison is posted on the UCI TechPrep Site under Distance Learning Tools Assessment. The use of E2EE, meeting passwords, waiting rooms, and restricting participation to attendees who have a UCInetID reduce the risk of real-time eavesdropping or censorship.  However, all of these vendors have policies to turn over data upon an appropriate foreign government request – so the risk is not eliminated. 

Of the platforms surveyed, only two are ready for faculty use today: Zoom and Yuja. Of the two, Zoom is a more feature-rich platform.

Recommendation

Technology vendors are in a constant race to develop and enhance features in order to capture market share. Distance learning platforms are no different. While many of them either have or are improving their security and privacy features that in turn help to enable academic freedom, they all have shortcomings. All of them will turn over data if a foreign government requests it and the request complies with their own local laws. Several of them require VPN access to use, limiting the actual usability of the service. Zoom’s ubiquity and shortcomings have forced it to be more transparent with its privacy and security, and it will very soon add end-to-end encryption. While Zoom remains an imperfect distance learning tool, it is also the most practical and accessible for students living in China. As an alternative for synchronous lectures with smaller classes (< 200 participants), Yuja Video Conferencing is also available upon request.

Remote Teaching Webinar Series

The Division of Teaching Excellence in Innovation (DTEI) Support Team will host several training webinars in July to help instructors prepare for virtual instruction, covering topics on student engagement, Zoom, Canvas and Yuja use for teaching.

Please register to attend.

  

Avoiding Caller ID Spoofing Scams

Caller ID spoofing is when a caller deliberately falsifies the information transmitted to your caller ID display in order to disguise their identity. The number that displays on your Caller ID may look as though it’s coming from a government agency, business, or even someone in your contacts list in an attempt to trick you into answering the call. OIT cannot control the caller ID for calls that originate from off-campus, and you may not be able to tell right away if an incoming call is spoofed. Be extremely careful about responding to any request for personal identifying information.

Note: If the caller’s intent is to defraud, cause harm or scam you into providing info you may not otherwise provide over the phone, the spoofing is illegal. If no harm is intended or caused, the spoofing is not illegal. Some people may have legitimate reasons to hide their info, such as a law enforcement agency or a doctor’s office.

Examples of spoofing

  • Caller ID displays a friend or spouse’s phone number, but your friend / spouse is not calling you
  • In neighbor spoofing, robo callers display a number similar to your own phone number, to increase the chance that you’ll answer the call.
  • Receiving calls from your bank’s phone number asking for personal info (account numbers, account PINs, etc.)
  • Caller ID displays ‘911 Emergency’ rather than the actual phone number of the calling party.

How to prevent spoofing scams

  • Don’t answer calls from unknown numbers. If you answer such a call, hang up immediately.
  • If you answer the phone and the caller – or a recording – asks you to hit a button to stop getting the calls, you should just hang up. Scammers often use this trick to identify potential targets.
  • Do not respond to any questions, especially those that can be answered with “Yes” or “No.”
  • Never give out personal information such as account numbers, Social Security numbers, mother’s maiden names, passwords or other identifying information in response to unexpected calls or if you are at all suspicious.
  • If you get an inquiry from someone who says they represent a company or a government agency, hang up and call the phone number on your account statement, in the phone book, or on the company’s or government agency’s website to verify the authenticity of the request.  You will usually get a written statement in the mail before you get a phone call from a legitimate source, particularly if the caller is asking for a payment.
  • Exercise extreme caution if you are being pressured for information immediately.
  • If you have a voicemail account with your phone service, be sure to set a password for it. Some voicemail services are preset to allow access if you call in from your own phone number. A hacker could spoof your home phone number and gain access to your voicemail if you do not set a password.

If you believe you have fallen for a spoofed call and mistakenly shared information, contact the security team: https://security.uci.edu/incident.html

For additional resources on preventing spoofing scams: