– Boston DSA Direct Action, De-escalation & Security (DADS) Committee
Basic Security Practices for Zoom Events
Organizers have used video calling app Zoom for a while now, but it has seen a flood of activity recently as people across the world shift to remote work and schooling, due to novel coronavirus. More activity means more bad actors looking for vulnerabilities and other ways to exploit the app, which for organizers looks like people disrupting our calls or using calls to gather data for doxxing.
In using Zoom for organizing, we must strike a balance that allows us to have our meetings as unimpeded as possible, without inadvertently making it easier for fascists, other reactionaries, law enforcement, and others to undermine our efforts. This can be tricky at times, but the following best practices (divided into sections for all participants, for meeting hosts, and for reducing the risks inherent in livestreaming a Zoom meeting) are a good place to start. Particularly if you have enough technical expertise to set up your own server, you may also wish to look into an alternative like Jitsi that functions similarly but with slightly more security.
For Everyone
- Don’t give meeting information — like meeting IDs, call-in information, or passwords — to people you don’t know and trust.
- Consider using only a first name or pseudonym as your display name, as a safeguard against doxxing. If you don’t know how change your display name before you enter a Zoom room, you can learn how with this guide (though if you expect to be using different names in different rooms, you may want to do this process for every room rather than checking the “Remember my name for future meetings” box): https://support.palcs.org/hc/en-us/articles/226794367-Changing-Your-Display-Name-in-Zoom-Rooms
- If you have any concerns about bad actors being in the room, you can enter with your video camera disabled. This prevents anyone who might want to dox you from seeing or screenshotting your face, and you can always turn your video camera on if you decide that it’s okay to do so. Alternatively or in addition, you can also view the display name of everyone in the room by clicking the “Participants” button on the entry screen (the one that gives you the “Join Audio” option).
- If possible, use the app or the web portal instead of calling in. When you call in, the display name is your phone number and you will not be able to change it (though a host can), which is a serious doxxing risk if you don’t know everyone in the room (or if your Zoom meeting is being publicly livestreamed).
- Don’t post screenshots of your meetings, especially not with people’s images and names attached, on social media. This is a doxxing risk.
- Tweeting your meeting link is inherently insecure. If you need to do so anyway, use a URL shortener like bit.ly, so that trolls searching Twitter for public Zoom links by searching the Zoom URL don’t find it.
For Meeting Hosts
As a meeting host, the best way to stop attacks is to prevent them in the first place. When hosting a Zoom call, you need to set up your meeting, often in advance, using the right settings and features. If you hastily launch a Zoom meeting and share the link publicly, it’s much harder to stop trolls in the moment. Preventing a battle is better than having to fight one!
- Adding a password for your meeting is one of the easiest ways to prevent bad actors. Some Zoom trolls repeatedly try random meeting IDs, just to find anyone to harass. Putting a password on your meeting prevents this sort of untargeted attack — they’ll see that a password is required, and move on. Passwords also help with more targeted attacks: you can send the password to a trusted circle, or you can require RSVPs and only give the password to people who seem legitimate when they RSVP.
- Using a unique, automatically generated meeting ID for each of your meetings is an easy way to reduce targeted or repeat attacks. Your Zoom Account has its own “Personal Meeting ID” (or PMI) that never changes. This feature is meant to make regularly scheduled meetings easier for your guests, as they can always use the same link — but this also makes repeat attacks easy, as attackers can re-use old meeting invites they find or return to the same link they used the last time they disrupted your event. So, when you schedule a meeting, choose “Generate Automatically” under “Meeting ID”. (If your meeting guests are used to returning to using the same meeting ID every time, just let them know that they should get used to clicking the link in the meeting invitation they received instead.)
- Consider having a co-host (see https://support.zoom.us/hc/en-us/articles/206330935-Enabling-and-adding-a-co-host for how to add a co-host) who can be the designated “Zoom Wrangler.” The Zoom Wrangler can deal with finding and kicking out/muting/shutting down the video of any bad actors, allowing the rest of the meeting to proceed without people having to worry about dealing with it. (For best results, make sure the designated Zoom Wrangler is familiar with Zoom’s moderation controls before the meeting begins!)
- Consider locking the meeting, so that nobody else can join, once you’re reasonably sure that you have everyone you’re expecting. Go to Manage Participants > More > Lock Participants.
- Consider having a waiting room, which means that participants will see a Waiting Room screen when they try to join, and will not be let into the actual Zoom room until a host allows them. This gives you a chance to screen would-be participants.
- If there is unlikely to be a need for screen-sharing, go to the Zoom web portal before the meeting, open Settings, and set the meeting so that only hosts can share screens. If someone will be, for instance, giving a presentation with slides that requires a screen share, consider making them a co-host.
- If anyone in the room has their phone number as a display name because they have dialed in, the Zoom Wrangler should change it to their first name or a pseudonym. Dial-in participants cannot change this themselves. You can change it by going to Manage Participants, placing your cursor on the participant’s name, and clicking “Rename.”
Reducing the Risks of Livestreaming Your Zoom Room
- Consider whether you actually need to livestream footage of the Zoom room itself, and whether it would make sense to broadcast audio only, or show a static image, or some other alternative.
- Participants should know ahead of time that the Zoom room is going to be livestreamed (e.g. on Facebook), in case that influences their decisions about their participation, what display name they use, or whether they turn on their video camera. (You can also add a note to the name of your Zoom meeting, like “Our Meeting (Livestreamed)”, to remind participants that the meeting is being livesteamed.)
- Participants should be warned to use the Zoom app or the web portal rather than dialing into the meeting. If they dial in, their display name will be their phone number until a host is able to change it, which exposes them to risk of doxxing and harassment.
- Start the livestream only after people introduce themselves, and remind everyone that the meeting is being livestreamed if, for example, some attendees who missed the announcement show up late.