How to protect your online calls from 'Zoom-bombing'
The University of Michigan community has experienced at least two instances of “Zoom-bombing” — an unwanted and uninvited interruption to a Zoom call, usually involving harmful language and inappropriate imagery — since the onset of the coronavirus pandemic. With the University’s move to fully remote in March and 80% of coursework remotely this fall, Zoom and other online platforms have become tools for clubs and classes to run remotely amid the ongoing pandemic.
Zoom-bombing has become so frequent with the move to remote education and meetings that the Federal Bureau of Investigation issued a warning detailing nationwide instances of teleconferencing hijacking and how to report them. A public health course was hijacked in April by people who wrote racist slurs and symbols of hate. Intruders struck again at the University this fall at a club meeting call held last month.
Active Minds, an organization on campus that works to destigmatize mental health issues, was Zoom-bombed last month. The attack interrupted a documentary screening and involved racist and offensive language and images and was shocking to those on the call, according to Co-Director and LSA junior JC Garcia.
“I was very confused,” Garcia said. “Our organization is very small to begin with. We weren't sure why we were targeted specifically.”
As a result of the experience, Garcia said they have developed a new understanding of the importance of videoconferencing security.
“I think having secure spaces and Zoom meetings is very important,” Garcia said. “It allows for you and your organization and whatever communities to feel safe and secure in the space, so you don’t feel that anyone’s going to be invasive and harm you and your safety and your well-being in any way.”
This has been happening at schools and universities across the nation. Both the University of Pennsylvania and University of California, Los Angeles faced multiple Zoom-bombing incidents earlier this month.
In light of these attacks, The Daily spoke to experts on campus — including Ravi Pendse, vice president for information technology and chief information officer, and Kyle Lindsey and Hanah Stiverson, two doctoral students who are working on a book with Professor Lisa Nakamura about Zoom-bombing — to compile a list of tips to ensure calls for classes or clubs remain as secure as possible.
Restrict the call to those with University of Michigan credentials
One of the best ways to protect a meeting, Pendse said, is through setting the meeting to allow only those logged into Zoom or Bluejeans accounts with University email credentials. This works best for calls with only University-affiliated organizers and attendees and is one of the best ways to secure your call if possible, he said.
Because of University security policy, Pendse said attendees will not only have to log into Zoom or Bluejeans with their University credentials, but also confirm their identity with two-factor authentication.
“A person who has nothing to do with UMich will not be able to intrude into that meeting and do something unexpected,” Pendse said. “That is the best way to secure a meeting if it is meant for only the UMich community.”
Do not promote your meeting link publicly or share it widely
For small gatherings or private organization meetings, it is important to not publicly promote the information for your Zoom call, Stiverson said. This means keeping this information off of social media, she said, and sending this information privately, if at all possible.
“What we’ve found to be the best-case scenario is to not promote your Zoom link in any kind of social media setting, in any kind of public setting,” Stiveron said.
Require all attendees to use a long-form Zoom link and a password
Requiring a long-form Zoom link is a good strategy for smaller group calls with people you trust, Pendse said, because it prevents someone from guessing the nine-digit meeting number. Using the password ensures only someone who has the password can enter the call, he added.
Pendse also emphasized to ensure you trust all individuals who will be attending the call and specifically request they do not share the link or password with anyone.
“And you request people who are participating, not to share that with anyone,” Pendse said. “Because again, the password is only as good as the people who have it.”
Set up a waiting room for your call
Lindsey said setting up a waiting room for the call allows the host to check and verify every attendee that is entering the room.
This works with small groups easily, but if you are having a bigger meeting and plan to use this strategy, it would be wise to have a set list of attendees to check and to employ the help of some trusted co-hosts to verify and let everyone in, Lindsey said.
“(A waiting room) is another layer of security,” Lindsey said. “Someone with the link cannot just enter the meeting, but that a host of the meeting has to confirm they are allowed in.”
Use a Zoom webinar instead of a Zoom call
For large or public meetings or presentations, Pendse suggested using the Zoom webinar feature instead of a Zoom call. Anyone who has the link or number can enter the meeting, but they do so with very limited capabilities, he said. On top of this, he said the host has much more control over the attendees and how and when they are allowed to participate.
This strategy allows you to have a larger public meeting and still have control over the attendees and how they are interacting with the process, Pendse emphasized.
“In webinars, people who are coming in don’t have a lot of options — you as the host control all of that access,” Pendse said.
Lock your meeting
If someone uninvited makes it onto your call, they won’t be allowed to re-enter the room if they are kicked out, Pendse said. He said this prevents you from having to end a call and re-distribute links and information and to proceed after the interruption if possible.
You should immediately report a user if they make it onto your call and cause problems or harm, Pendse added.
“When you start the meeting there is a setting, which allows you to lock the meeting,” Pendse said. “And by locking the meeting, what happens is if you eject somebody they cannot come back in.”
Immediately record as much information as you can about the event
Because a Zoom-bombing event is shocking, Stiverson said attendees or hosts should record or write down as much information about the event as they can remember if possible. This will allow call hosts to reach out to Zoom or Bluejeans itself and provide a detailed report of the event, she said.
Stiverson emphasized the importance of this in creating an awareness of these issues and the harm they cause.
“The culpability for these types of issues should not lie with the user, but should lie with the platform,” Stiverson said. “Take a breath and actually gather some evidence from participants who experienced it and reaching out … (this) will draw attention to this much larger and structural issue that we are finding.”
Talk to ITS
Finally, Pendse stressed that the University Information and Technology Services has information on cybersecurity and protecting your calls from intrusion. They also have videos that walk you through the best practices and steps to take to have a more secure video conferencing experience, he said. If users still aren’t comfortable or are having trouble, they should reach out to ITS, which is willing to run training for small or big groups on how to keep calls secure.
“We don’t want people from outside coming and interrupting important discussion that is going on,” Pendse said. “That’s why we want to help secure these meetings because if you have ever been involved in a meeting where something happened like this it’s quite an unpleasant experience. It can be quite disturbing.”
Taking action can help the University community avoid widespread issues, experts say.
Stiverson and Lindsey both emphasized that Zoom-bombing is part of a larger problem.
“(Video conferencing) requires us to allow labor and home and intimacy to merge and when that space is attacked it is doubly harming,” Stiverson said. “Very often the people that are most harmed by these instances of Zoom-bombing are the people that are most often harmed in society from other racist and misogynistic attacks.”
Stiverson said reporting incidents of Zoom-bombing is important so the platform creators are aware of the issue and can take action. Lindsey also stressed that Zoom-bombing is a part of a pattern of people taking advantage of online social spaces to cause harm.
“There are people actively seeking to hijack and harass and disrupt any community spaces online or on digital platforms,” Lindsey said. “(Zoom) is just another medium for folks who are already engaged in hijacking.”
Daily News Contributor Paige Hodder can be reached at email@example.com.
The COVID-19 pandemic has thrown challenges at all of us — including The Michigan Daily — but that hasn’t stopped our staff. We’re committed to reporting on the issues that matter most to the community where we live, learn and work. Your donations keep our journalism free and independent. You can support our work here.
For a weekly roundup of the best stories from The Michigan Daily, sign up for our newsletter here.