Essential Steps to head off Zoombombing
- When scheduling a new meeting, don’t use the “Personal Meeting ID.” Schedule the meeting and Zoom will assign a Meeting ID for that meeting.
- When scheduling the meeting, check the “Require Meeting Password” box and Zoom will create one. It’s OK to embed the password in the meeting link.
- If the Zoom meeting is only for a closed group of people
- Share the link only with the people who will attend. Don’t publish publicly on the web, Facebook etc. Email is OK.
- If participants don’t need screen sharing, make sure that it is off but if they need screen sharing, it is probably safe to leave it on or make the person who needs to share into a co-host.
- Since the link is shared only with the closed group of people who will attend, it is safe to enable the “Join before host” setting.
- That’s it.
- If the meeting will be public, meaning you need or want to publish the link widely, the rest of this document explains further steps that should be considered.
Overview
This document is written for Quakers who host Zoom meetings.
- People join a meeting with the intention of disrupting rather than participating.
- Description of one instance of Zoombombing
- A meeting started at the time advertised in the publicly available link. As participants were arriving, roughly a dozen disrupters also joined. They started shouting the N-word and writing it in the Zoom Chat for all participants to see. If screen sharing by participants had been allowed in the Zoom settings, images would likely have been shared as well.
- There is a tension between keeping the barriers to participation low for non-technical or new participants and keeping meetings protected. Fear of intrusion can make us take actions that discourage participation. With an understanding of the problem, hosts can remain welcoming and vigilant at the same time.
- Elements of Zoombombing
- Sharing screen with unwanted images such as pornography
- Saying nasty things such as racist slurs to the whole group
- Putting such messages in the chat for all to see
- Using an inappropriate image in place of live video
- Using nasty language for a screen name
Prevention
- Closed meetings are when the connection link is shared only with the specific people who will attend, such as a committee
- As mentioned in “Essential Steps” above, the security comes with protecting the link.
- Be sure the meeting has a password to make it harder for Zoombombers to guess the link by trying lots of random links
- Public meetings are when the meeting will be advertised publicly on a website
- Additional security measures are necessary because anyone on the internet can discover the meeting.
- Option 1 - Protect the link with a barrier
- The public advertisement can instruct potential participants how to register or contact someone for the link. This shifts the discernment to that contact person. Publishing an email for someone could lead to a lot of unwanted email.
- With more barriers present, fewer people will actually make it to the meeting. This could be because of the timing or logistics of navigating the barrier or because the appearance of a barrier feels unwelcoming.
- Option 2 - Protect the meeting
Take steps to prevent the 5 ways Zoombombers have to disrupt the meeting: Screen Sharing; Voice; Chat; Video; Screen Name. The hosts need to decide whether all of these protections are needed.
- Screen Sharing - Start the meeting with only the host allowed to share their screen. This can be changed during the meeting if necessary.
- Muting -
- Use settings to be sure participants are muted as they join the meeting.
- Remove the ability of participants to unmute themselves. This can be changed during the meeting.
- However, if the meeting is meant to be a discussion, muting participants is not very helpful. Being forcibly muted does not feel welcoming or encourage participation, particularly for people that have been historically marginalized. Being clear at the outset that the muting is temporary will help.
- Restrict the ability of participants to chat with each other. This can be completely disabled in the settings for the account hosting the meeting. Alternatively, the settings for the meeting can allow for chat and the host can disable chat at the beginning of the meeting and enable it during the meeting as needed. It is also possible to allow chat only with the host and co-host(s).
- Participant video can be turned off by the host / co-host(s). With participants muted, their video can only get as large as a thumbnail. If the host is screen sharing a welcome screen, very few participant video screens are visible to most participants. This threat is small and participants with inappropriate video can be easily removed by the host / co-host(s).
- Prevent participants from renaming themselves. This prevents a Zoombomber from changing their name to something inappropriate. If they arrive with an inappropriate name and the Waiting Room is enabled, don’t admit them.
- Additional options to protect the meeting
- Consider using the Zoom Waiting Room to screen people as they arrive. This only works if the host knows who is safe to allow in. It is possible to enable the waiting room after the meeting has started. The waiting room could be enabled 5-10 minutes into the meeting at the same time other restrictions such as screen sharing, chat and participants unmuting themselves are lifted. That way a flood of Zoombombers can’t storm the meeting after it has started.
- Stronger then the Waiting Room, consider Locking the meeting once all legitimate participants are present. Warn participants in the invitation that at x time, the door will be locked.
- Consider using a single breakout room for the meeting itself. A greeter functions as they would in many of our meetinghouses. Establish an initial relationship, help people get oriented and then direct them to the meeting room. This is probably unnecessary with small meetings and produces significant delays in large meetings.
During the meeting
- If there are a large number of people present who are not known to the host
- Consider using the “Raise Hand” feature in Zoom. The host can selectively un-mute people who wish to share. If the person starts to Zoombomb, they can be muted, sent to the waiting room or removed altogether.
- If there are a small number or no participants unknown to the host
- Keep the muting, chat with others, and screen sharing restrictions in place until the meeting is settled or the opening material has been presented.
- Enable the waiting room so that late arriving Zoombombers are stuck on their own in the waiting room with nobody to bomb. If legitimate participants arrive, the host can admit them one at a time.
- Allow participants to unmute themselves under “Manage Participants”
- Using the Security button, lift security restrictions for Chat, Renaming and Share Screen as needed.
- The scope of chat permissions can be fine tuned as appropriate
Managing a Zoombombing in progress
Though the measures suggested above are very strong, there is no such thing as perfect security. Being ready to manage a situation in progress, increases chances of success. Like a fire drill, people who practice are more likely to remain calm and succeed.
- Security button
- Shut off Share Screen, Chat, Rename Themselves
- Turn on Enable Waiting Room to stop more bombers from arriving
- Manage Participants
- Mute All
- Turn off “Allow participants to unmute themselves.”
- Turn on “Mute participants on Entry”
- Mute All again in case they unmuted themselves while you were adjusting other settings.
- Stop a participant’s video. They can’t restart their video until the host invites it.
- While doing those things, the host should be un-muted and talking. It will help reassure legitimate participants that the situation is being handled. Even if all the host talks about is the security measures that they are taking at that moment, the hosts voice can help disrupt the clarity of the disrupters.
Update January 2021 - In November, Zoom greatly simplified the process of suspending a meeting in order to regain control. See this article from AllThings.How.
Security Settings
The settings for small or private meetings don’t need to be as strong as for large or public meetings. Small private meetings are committee meetings, up to about 10 people, where everyone knows each other and, most importantly, the connection link is only shared with that closed group. Larger or public meetings expect more than about 10 people, the link is published publicly or people don’t all know each other. This distinction is an oversimplification but it makes it easier to consider settings that balance simplicity and accessibility with security.
Setting | Small / private | Large / public | Explanation |
Join before host | ON | OFF | It is nice when participants who arrive early for a small meeting can socialize with each other. |
Use Personal Meeting ID when scheduling a meeting | OFF | OFF | This could be used by others at unexpected times. |
Only authenticated users can join meetings | OFF | OFF | Probably puts up too much of a barrier for less technical participants |
Require password when scheduling meetings | ON | DOESN’T MATTER | Reduces the possibility that Zoombombers will guess the meeting link by trying random meeting links. Once the meeting is public so is the link and other precautions need to be in place. |
Embed password in meeting link | ON | ON | Makes it easier to join. Having to enter the password separately will be hard for some non-tech participants |
Mute participants upon entry | OFF | ON | Starting with this off allows participants to socialize. However it also allows bombers to socialize. Start with it off unless the risk of bombing is low. |
Chat - Allow participants to send a message visible to all participants | ON | OFF | Can be enabled by the host if appropriate for the meeting. Having this off prevents bombers but also prevents genuine communication between participants. |
Allow co-hosts | On | ON | Host can have technical help. |
Screen Sharing | Host Only | Host Only | This can be changed by the host during the meeting to allow participants if necessary |
Whiteboard | OFF | OFF | This is another method for bombers to display images and not helpful for most meetings. |
Remote control | OFF | OFF | This should be used very carefully. Giving someone remote access to a computer should only be done in a high trust situation. |
Nonverbal feedback |
|
| As needed. Not much risk since Zoom controls available options. |
Allow removed participants to rejoin | OFF | OFF | A real-time defense against bombers is to remove them. This forces them to use another account to come back in. |
Allow participants to rename themselves | ON | Consider | Generally, leaving this on means people can set their screen name to their liking. This matters when participants are using an account that has a name other than theirs. It is a potential avenue for bombers to get some text in front of all participants. |
Far end camera control | OFF | OFF | This isn’t needed much and turning it on carries privacy risks |
Waiting Room | Consider | Consider | This makes it impossible to “Join Before Host.” It allows a host to screen participants before letting them in. This is time and attention consuming for the host but offers a high level of protection. |