With the coronavirus pandemic that is forcing millions of people to work, study, and connect from home, zoom conferencing is becoming a standard method of connection. And with popularity comes abuse. Enter zoom bombing, the phenomenon that trolls intrude on other people's meetings to harass attendees, usually by bombarding them with racist or sexually explicit images or statements. A small selection of the events of the past few days:
- A participant who disrupted a meeting with Alcoholics Anonymous by calling anti-women and anti-Semitic insults, along with the statement, "Alcohol is soooo good," Business Insider said. The meeting organizers eventually muted and removed the intruder, but only after more than half of the participants had left.
- A zoom conference with students from the Orange County Public Schools system in Florida that was interrupted after an uninvited participant exposed to the class.
- An online meeting of black students at the University of Texas that was canceled when it was interrupted by racist insults from visitors
As distracting and offensive as it is, zoom bombings are a useful reminder of how fragile privacy can be in the world of online conferencing. While common meetings between faculty members, board members, and employees are protected by physical barriers such as walls and closed doors, zoom conferencing can only be secured by other means that many users do not master. Below are tips for avoiding the common pitfalls of zoom conferencing.
Make sure that meetings are password-protected. The best way to ensure that meetings can only be accessed if someone has the password is to make sure that the Password required for one-to-one meetings is enabled in User Settings. Even if the setting is disabled, a password may be required when scheduling a meeting. It may not be practical to password-protect every meeting, but conference organizers should use this measure as often as possible.
If possible, do not announce meetings on social media or other public institutions. Instead, only send messages to participants using email or group settings in Signal WhatsApp or other messenger programs. This advice is especially important if you are the leader of a country like Britain. (Fortunately, Prime Minister Boris Johnson password-protected the meeting and was smart enough not to include the passphrase in his tweet. Even then, his tweet revealed multiple participants' IDs.)
Check the list of participants regularly, if possible. This can be done by the organizer or by trustworthy participants. All unauthorized users can be booted. (Later more.)
Control screen sharing carefully. The user settings allow organizers to set default sharing settings by default. People who rarely need sharing should turn it off entirely by sliding the button to the right to turn it off. In the event that participants need screen sharing, the slider should be activated and the setting that only the host should be released should be activated. Organizers should allow all participants to share screens only if the host knows and fully trusts all participants in a meeting.
And while you're at it
The four measures above are cardinal. Here are some more suggestions for securing zoom meetings:
Disable the Join Before Host setting So that the organizers can control the meeting from the start.
Use the Waiting room option to accept participants. This prevents trolls from being picked up if they have slipped through the two main defenses.
Lock a meetingif possible as soon as it is on the way. This prevents unauthorized persons from logging on later. You can lock a meeting by clicking Manage Attendees and using the controls that appear on the right side of the meeting window. With Manage Attendees, an organizer can also mute all attendees, eject selected attendees, or prevent selected attendees from being shown on video.
Pay attention to everything that is in sight of your camera. Regardless of whether you work from home or from the office, there may be diagrams, drawings, notes, or other things that other participants should not see. Remove it from the camera view before the meeting begins.
In addition to the advice above, Zoom users should consider using a browser to connect to meetings rather than the dedicated Zoom app. I prefer this setting because I believe that the attack surface on my system – the number of vulnerabilities a hacker can use to compromise my security – increases with every app I install. In 2020, most browsers will be protected against attacks. Other types of software are less.
Zooming makes the web option difficult to find after you click the Join a meeting link. In my tests on a Windows 10 computer, the option only appeared after I uninstalled the Zoom client. Even then, Zoom moved an installation file after I tried to join a meeting. I was only able to use the browser after I declined the download and selected the Join option in your browser. On a Mac, I was able to find the option even after installing the Zoom client by clicking Cancel in the app install dialog. A Chrome extension called Zoom Redirector also makes it easier to find the link (Firefox and Edge versions of the open source addon can be found here). The permissions required for the extension indicate that it is not a major privacy or security threat.
Users who choose the browser option get the best results using Chrome. Firefox and other browsers prevent some important functions such as audio and video from working at all. Out of courtesy, meeting organizers can choose a setting that makes it easier for participants to find the option.
Fortunately, Zoom turned off an attention tracking feature that organizers could use to tell when a participant hadn't focused on the meeting for more than 30 seconds, for example because the participant had switched to a different browser tab. This ability was pushy. It's great that the zoom removed it.