Since we launched Zoom as a campus platform on March 13, 2020, there have been 36,439 meetings conducted by our community. And 3 reports of ZoomBombing (so far). There may have been others, but we have only 3 reported cases at this time1.

We have spent much time and effort adjusting the configuration of our campus Zoom account to address security and privacy concerns. Default settings for meetings have been modified, making it more difficult (if not impossible) for intruders to barge into a meeting/class and ZoomBomb it. But, since making those changes, we’ve still had reports of ZoomBombing in classes - which should be impossible if we were looking at a simple “external people finding unsecured meetings for laughs” situation.

It looks like each of those 3 reported cases have involved students intentionally sharing the Join link for the meeting outside the class, and for password-protected meetings, also sharing the password. There’s no way to secure any software if people are deliberately circumventing privacy by sharing login information.

For Zoom, there are 2 basic threat models that affect online classes:

  1. External people finding unsecured meetings
  2. Authorized participants intentionally disrupting the meetings

The focus has largely been trying to prevent #1, but we’ve been seeing repeated cases of #2. Instructors setting up password-protected meetings, sharing the Join link only within the D2L site for the course so only students have access - but someone then shares the Join link and password externally to invite others outside the class.

Either the login information was shared with external parties, or, perhaps more concerning, students are potentially using VPNs to mask their IP address and location to do the ZoomBombing themselves.

In these cases, the ZoomBombing we’ve seen is analogous to someone running into a classroom while wearing a mask and repeatedly blasting an airhorn for laughs. Except, they’re doing it in the middle of a goddamned pandemic, to a group of people trying to salvage what’s left of a semester, and doing it in a new environment and under substantial stress.

I have spent almost 100% of the last 2 weeks analyzing reports of ZoomBombing, researching ways to mitigate it, and meeting with our Zoom team (both Taylor Institute and Information Technologies) to come up with plans to modify our configuration settings in a way that would prevent ZoomBombing while not being overly disruptive to effective use of the software. We’ve had to make several compromises - microphone and camera off by default, no screen sharing by participants - that should reduce the risk of trolling. But these have already had a negative impact on people who are trying to use Zoom.

But these settings all focus on trying to stop unknown external people from discovering unsecured meetings. That may have prevented many incidents - but has no effect on authorized people deliberately sharing the login info to entertain themselves.

  1. that I am aware of, anyway… ↩︎


See Also

comments powered by Disqus