Advertisement
U.S. markets closed
  • S&P Futures

    5,206.75
    -8.00 (-0.15%)
     
  • Dow Futures

    39,199.00
    -24.00 (-0.06%)
     
  • Nasdaq Futures

    18,175.00
    -56.50 (-0.31%)
     
  • Russell 2000 Futures

    2,047.30
    -2.50 (-0.12%)
     
  • Crude Oil

    82.60
    -0.12 (-0.15%)
     
  • Gold

    2,163.90
    -0.40 (-0.02%)
     
  • Silver

    25.30
    +0.03 (+0.14%)
     
  • EUR/USD

    1.0877
    0.0000 (-0.00%)
     
  • 10-Yr Bond

    4.3400
    +0.0360 (+0.84%)
     
  • Vix

    14.33
    -0.08 (-0.56%)
     
  • GBP/USD

    1.2726
    -0.0003 (-0.02%)
     
  • USD/JPY

    149.1920
    +0.0940 (+0.06%)
     
  • Bitcoin USD

    65,957.98
    -1,731.32 (-2.56%)
     
  • CMC Crypto 200

    885.54
    0.00 (0.00%)
     
  • FTSE 100

    7,722.55
    -4.87 (-0.06%)
     
  • Nikkei 225

    39,429.78
    -310.66 (-0.78%)
     

How to Prevent Zoombombing

Consumer Reports has no financial relationship with advertisers on this site.

Loren Ford could see a problem coming.

He was glad that his synagogue, Congregation Beth Am in Altos Hills, Calif., was moving its meetings and services online to Zoom once the coronavirus pandemic hit. But as a former privacy lawyer and counsel for Google, and an informal tech consultant to the congregation, he was also concerned about security and privacy.

His biggest worry was the risk of Zoombombing, where outsiders disrupt meetings using threatening or offensive material.

"Zoom wasn't built for its current use," he says. "It was built for business meetings, which don't have the same level of privacy and security concerns as a massive platform for connection of all kinds."

At one of the first online synagogue events, Ford noticed that participants' home and cell-phone numbers were displayed on the screen for everyone to see—a privacy misstep even in a meeting attended only by congregants. Ford and Beth Am's executive director decided to create guidelines for how to use Zoom more safely.

When Ford skipped a meeting to work on those guidelines, his fears were realized: The congregation was Zoombombed by intruders, who barraged the participants with anti-Semitic messages.

The attack fit a disturbing trend, with incidents such as the Zoombombing of an African-American student's dissertation defense by racist trolls and the disruption of many meetings of organizations ranging from schools to Alcoholics Anonymous to Muslim and Jewish groups.

"We want and need worship services and other study and informational sessions to be open not just to our members, but to non-members who might be interested in joining," Ford says. "But that's in tension with the fact that there are criminals out there trying to wreak havoc."

The advice Ford has put together to try to manage these competing priorities can serve as a guidebook for any potential Zoom host.

Consumer Reports vetted the advice with our own in-house security team, and we are publishing the highlights below. You can also find advice in Zoom's help center.

We learned about Ford's guidelines through a fellow congregant who joined a Consumer Reports webinar on teleconferencing. These webinars are the digital version of volunteer-led meetings CR has been conducting to help consumers take control of their digital privacy. While the in-person meet-ups have been intimate, meeting in people's homes, the webinar on teleconferencing privacy and security pulled in 1,000 participants.

"I'm excited that the one-on-one relationships we're building with amazing Consumer Reports members across the country are allowing us to tap into their expertise," says Alan Smith, community leadership manager for Consumer Reports. "Folks like Loren are living on the frontier of this sudden new digital privacy world."

Striking the Right Balance

Zoom gives the host of a meeting a lot of power over who can join, and which features participants can use. If you're in charge of a Zoom meeting, Ford says, the goal is to maintain a delicate balance between openness and security.

The right strategy depends on the size of the meeting, he says. Like many organizations, Congregation Beth Am holds both small gatherings with a restricted guest list and large meetings that are open to the whole congregation as well as non-members.

Those smaller meetings are easier to moderate, because you know who's going to be attending. "You need to be thoughtful about how you control access," Ford explains. "If you're careful about who you let in the door, you can be a little more relaxed once they're in there."

Here's one difference in how Ford would handle bigger and smaller meetings. Zoom lets participants appear in front of a virtual background that they grab from their own computers—no green screen needed. In smaller meetings open to only invited guests, Ford says it's fine to let members choose their own virtual backgrounds.

But for larger meetings that are open to the whole congregation and outsiders, he says, it's a good idea to consider turning off that feature because an intruder could easily post an offensive image as his or her background.

Here are more detailed recommendations.

Controlling Who Joins a Meeting

Control when people can join a meeting. First off, Ford says, for large meetings you should disable the "join before host" feature. This feature allows participants to join before the host and hang around afterward. However, it can also leave the meeting functionally unmoderated.

You can use another setting—the "lock meeting" feature—to prevent anyone new from joining the meeting. Hosts can employ this at any time during the meeting. It can keep you safe from intruders who just stumble on the meeting partway through.

Also, Ford advocates disabling a setting that can allow an attendee who's been removed to rejoin a meeting.

One smart practice is to share the oversight duties by designating several co-hosts. That allows the co-hosts to keep an eye on the attendees, while the main host runs the event.

Avoid easy-to-guess meeting names. Zoombombers often gain access to meetings by guessing or searching the names of meetings using Zoom's standard naming conventions, also known as Personal Meeting IDs. (We've decided not to describe how the naming convention works, as a safety precaution.)

Ford suggests generating a Zoom link automatically instead, which is harder for bad actors to guess.

Perhaps most important of all, tell participants not to post links or other meeting information to their social networks.

Require passwords . . . sometimes. Some privacy experts tout the use of passwords for every Zoom meeting; Ford is a little more circumspect. "Requiring passwords is good policy for any meeting that is more private than public," he says. "But restricting more communal activities is a step towards less open meetings, and it should be considered very carefully."

Ford adds that passwords should be an absolute requirement for any meetings that include children or minors.

Control the door. For larger meetings, you can enable Zoom's "waiting room" function, which puts participants in a virtual vestibule outside the meeting. The host can see potential guests and then decide whether to admit them, one by one or as a group. It's a robust security practice, but it can be time and labor intensive to check everyone in a large group. (A security issue with waiting rooms has since been fixed by Zoom.)

If you become suspicious of just one attendee, you can place them "on hold." That leaves them in the meeting but blocks video and audio transmission between them and everyone else. Then you can decide whether they are simply someone you don't know or an intruder.

In-Meeting Controls

Limit sharing options. For larger meetings, Ford suggests limiting what participants can do. You can, for example, mute all participants by default. They can then click an icon to "raise their hand" when they want to speak.

He says it's also smart to disable screen sharing by anyone other than the host. Zoom also lets participants create a whiteboard for collaborative work, with everyone adding annotations. Ford suggests that you turn off whiteboard sharing in large meetings.

Disable or restrict chat. Disabling chat is an option for larger groups where you don't know all the participants, but even if chat is turned on, it makes sense to disable file transfer within chat or at least limit the kinds of files that can be shared.

That can prevent the spread of malware, but a link could still call up offensive videos or other content. For that reason, Ford says, it's smart to tell participants to be cautious when clicking on links in a chat, especially if they're from someone they don't know well.

Hit pause on recording. Zoom hosts have the option of recording events, but this should be used judiciously, and only with the permission of the attendees. Zoom hosts can allow participants to record a meeting, as well. Ford says this feature should usually be disabled. And no one should record any Zoom meeting attended by minors, unless it's done with explicit parental consent.



More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2020, Consumer Reports, Inc.

Advertisement