Protect Your Videoconference from the ‘Zoombombing’ Epidemic

April 1, 2020 | Shari Claire Lewis | Privacy, Data & Cyber Law

The New York Times reported that New York Attorney General Letitia James sent a letter to Zoom Video Conferencing, Inc. asking it to address recent challenges to its data privacy and security practices. One security problem that the letter discussed was the infiltration of hackers into the Zoom videoconference platform in a practice referred to as “Zoombombing.”

Not surprisingly, Zoom has “zoomed” to popularity during the coronavirus crisis, with literally millions of users now, and more signing on every day. It ranks among the most frequently downloaded applications on both iOS and Android. Although originally intended exclusively as a business productivity tool, Zoom’s video conferencing now shows up everywhere. Wherever people would have congregated – the office conference room, the classroom, the neighborhood bar, a place of worship – Zoom offers a virtual meeting space.

Unfortunately, as Zoom’s popularity has grown, so has the activity of bad actors in response. Zoombombing is a practice by which bad actors hijack control of a Zoom meeting in order to interject disruptive content, such as graphic pornography, violence, white supremacist messages, etc. Zoombombing deprives the videoconference host of the ability to moderate the content of the conference or achieve the conference’s goal – be it, for business, charity, education or social purposes. Zoombombing may be carried out as a form of political or social espionage or as a malicious prank.

Because businesses, not-for-profits and professionals have been particularly targeted by Zoombombing, they should be careful to consider the variety of Zoom settings that can be deployed to prevent their meetings from being disrupted. Which settings a host may want to use can vary depending on the size of the gathering, whether it is a one-time or reoccurring event, and whether and to what extent it is necessary for meeting attendees to participate.

For example, when setting up large, public events, hosts may consider changing Zoom settings so that only the host can share their screen. Since some participants at large meetings may not be known personally, it is also recommended that that the host employ a unique, one-time code for entry to each meeting. Although reusing a recurring standard code for all of the host’s Zoom meetings may be convenient, once known, it can be exploited to enter future meetings by anyone, invited or not.

Notably, Zoom’s default is to require password protection for private meetings. Not only should password protections be left in place, but the host may want to consider whether to wait to share that password only after an invitation has been responded to by the individual it was intended to reach. Similarly, Zoom has settings that permit meetings to be by “invite-only.” This option requires the invited attendee to sign in using the email address that the invitation was sent to and prevents any uninvited guests from participating. Another option is to create a Zoom “Waiting Room” where meeting participants wait until the meeting is started by the host. To start the meeting, the host can admit only those in the Waiting Room whose names are recognized and exclude anyone with whom they are unfamiliar.

Even in a small or private meeting, the host should consider who and to what extent participants need to or should be able to share content. This includes not just the participants’ access to the presentation screen, but other communication tools that Zoom offers, such as whether participants can annotate content, engage in private chat or display certain types of media, such as animations, GIFs, etc. The value of an interactive, engaging experience must be balanced by the risk that inappropriate, harassing or even illegal content could be interposed during the meeting.

Before the meeting begins, hosts should familiarize themselves with the various controls that Zoom offers for use during the meeting if an unwelcome participant joins or a participant becomes disruptive. First, once a meeting has begun and the host confirms that all expected participants are there, the host can lock the meeting to prevent anyone else from joining. Disruptive, rude or inappropriate participants, including those that share offensive content, can be “muted” or their cameras blocked so that they no longer can contribute to the conference. Most importantly, the host retains the ability to put a disruptive participant “on hold” or to kick them out of the meeting entirely.

While Zoombombing may primarily be a party-crashing nuisance, there is also the danger that unauthorized access to business and professional meetings may expose confidential or proprietary information, prevent the accomplishment of the goal for which the meeting was convened and create a platform for offensive content and hate speech. If, despite your best efforts, Zoombombing has occurred, you may consider whether and to what extent you can take technological or legal action to ameliorate its impact and/or prevent it in the future.

Share this article:

Related Publications


Get legal updates and news delivered to your inbox