Zoom at EPFL

Zoom corporate headquarters in Silicon Valley © 2019 Andrei Stanescu

Zoom corporate headquarters in Silicon Valley © 2019 Andrei Stanescu

"Zoom offers the best quality for the size of our user base."
Three questions asked to Rafael Corvalan, Information Systems Director for the VPSI

The Zoom company has recently been criticized for the lack of security of their platform. Have you looked into other alternatives, in particular either Swiss or hosted in Switzerland ?
We have looked for and studied the alternatives. They either do not provide support for a sufficiently large number of users to suffice for EPFL needs (Jitsi, Whereby), or for enough bandwidth (Switch Open Meet, Infomaniak Meet, both being implementations of Jitsi). We were left to choose between Zoom, Webex from Cisco, Google Meet and Microsoft Teams. The later did not survive the load imposed on it during the first weeks of the pandemic. In the end, Zoom gives us the best quality for the number of users we have: it allows the 15'000 students and employees to continue to follow all of their classes online and do their work in the best conditions possible.

What measures have Zoom taken to better their product's security ?
Zoom announced early April that they had stopped working on changes to their product to focus the next three months on making its security better. Most of the published vulnerabilities have already been fixed or are currently being fixed. EPFL is following these changes closely to ensure that actual progress is made on the security front. Currently, the efforts undertaken are substantial. Zoom has hired Katie Moussouris as a Security Adviser: she is a recognized and influential personality in the world of cybersecurity. One of her missions is to supervise the "bug bounty" program that Zoom runs, a program that she previously set up for Microsoft and the American Department of Defense (" U.S. Department of Defense's first bug bounty program for hackers"). This program allows developers to announce bugs to the editor before releasing them to the public, allowing fixes to be rolled out before the bugs can be exploited.

What supplementary measures have EPFL taken ?
I would like to point out that all EPFL students and collaborators wanting to organize meetings must first login through the epfl.zoom.us link and identify themselves using the Tequila system to get access through EPFL conditions.
Participants may then connect through the link supplied by the organizer. Organizers are encouraged to set a password to their meetings as well to make it harder for unauthorized people to barge in. The organizer is also invited to ensure that the invitation link is only shared with authorized people and to avoid publishing it.
If the meeting is confidential and must be recorded, we ask the organizer to record it locally and not on the cloud, after - of course - having warned the participants that they were going to be recorded.
Finally, users are encouraged to update their Zoom clients as often as possible in order to always have the latest version.

You can find our recommended best-practices here.