Keep the Trolls Out: Zoom Bombing Update 2024

Toy skeleton in a helmet with an old-fashioned bomb

Back in April of 2020, when Zoom and online worship services were new, we experienced series of "zoom bombing" episodes with our congregations. The page Keep the Trolls Out! Avoid Zoom Bombing was created at that time to provide guidance for our congregations. While the basic tips and recommendations on that page are still sound, it's now 2024, the software has evolved and the zoom bombers have returned. This time, it appears that instead of people just looking to cause disruption in general, this is a more targeted effort by activists with views different from ours.

We have had reports of Zoom Bombing from several congregations this spring and here are some Do's and Don'ts to consider. As always we acknowledge it's a balancing act between security and protecting our members with being open and available to anyone who wishes to attend.

What To Do

  • Do have your tech team create a plan and practice that plan. This is like a fire drill, the more we practice the better we are in the moment.
  • Do have your tech hosts learn how to delete chat messages, mute individuals, turn off individual cameras, and remove individuals from the meeting and report them to zoom.
  • Do double check all your settings - is annotations turned off? Is screen sharing limited to just the host? Are you using a waiting room and/or a registration system? Have you restricted the chat to just text so images and files can't be shared?
  • Make sure all your meetings have a password on them.
  • Do check out Zoom's help document, Preventing Disruptions in Zoom Events for step by step instructions and other recommendations.
  • Do check out Zoom's Security Basics Video on YouTube.
  • Consider some stricter controls, at least for the time being. For everyone other than the host and co-hosts, you may want to mute everyone and not permit them to unmute to avoid audio disruptions or not allow cameras to be turned on. You can toggle these settings mid-meeting if necessary from the participant's panel.
  • Consider disabling all interactive elements such as screen sharing and the whiteboard for anyone other than the hosts and co-hosts.
  • If you livestream your event to a streaming service (such as YouTube), you want to avoid ultra low latency to give yourself time to take the streams down. If you are using OBS, consider instroducing a delay. You want to immediately turn off and take down any active livestreams. Failure to take down the stream may result in the streaming service suspending or terminating your account, especially if the zoom bombing broadcast pornographic material or other offensive content that breaks the community guidelines.

What to Avoid

  • Try to avoid having public events with only one tech person or host. It's hard to manage this alone.
  • For non public events, such as small group sessions, RE classes and committee or board meetings, try to keep the meeting links out of public places like your website where anyone can find them.
  • Don't admit people from the waiting room whose names you don't recognize, or if a public event, that aren't what appear to be real names. If you are unsure, message them in the waiting room, giving them a way to respond back such as an email address or number to text. Note: Those in the waiting room cannot chat back to the host.

Questions

We've gotten a few questions on the UUA's Zoom help desk, which supports those who have their zoom licenses through the UUA's Zoom Licenses for Congregations program.

  • Has my account been hacked and should I change the password?
    While we can't say for certain since we weren't there, in general, no, these episodes do not mean your account was hacked. If so, you would have lost your host privileges. But if you are at all in doubt, yes, change your password. Changing passwords on a regular basis is a good security procedure.
  • We were zoom bombed, were our participant's accounts compromised in any way?
    No. Zoom bombers don't have access to their accounts. They could take screen shots of people on the screen and the participant list. They would not have access to email addresses or their account login information.

Additional Resources