Heightened security measures to prevent Zoom bombing

The use of Zoom has proven indispensable to the University of Georgia. Zoom has allowed us to continue conversations, collaborations, and instruction virtually, helping support UGA’s operations during the pandemic. Recently, however, a handful of Zoom bombing attacks have disrupted and disturbed our campus community. One of the most important values of a university is its commitment to open and honest conversations. Face to face, these conversations happen in a setting and place that is much more conducive to frank discussions while upholding our commitment to openness and mutual respect. In a virtual environment like Zoom, however, a shroud of anonymity has allowed some (mostly those outside UGA) to target university community members with their bigotry and hate.

The University of Georgia provides support for more than 1 million minutes of Zoom meetings daily, and the vast majority of these sessions run smoothly. These latest Zoom bombing attacks have not occurred during instruction, but primarily during special events attended by individuals outside the regular university community. Extensive logs of participants and activities are maintained by the Zoom system and are provided to University Police and the Equal Opportunity Office when investigations are launched. Our staff in Enterprise Information Technology Services (EITS) analyze these logs, and we lead a cross-disciplinary team of professionals from UGA’s colleges, schools, and administration who meet regularly to review the use of Zoom and to prescribe best practices that can reduce the chance of disruption.

I am writing to set some expectations for the administrative management of high-profile, virtual university events to reduce the risk of these incidents in the future. Vice presidents, deans, administrative directors, and department heads are asked to work within their units to ensure these best practices are adopted.

While we can never fully eliminate the risk of a Zoom bombing incident, there are measures we can take to reduce their likelihood. Going forward, units using Zoom to host high-profile special events beyond ordinary instruction and administrative meetings (particularly those that include individuals outside the university) are expected to ensure the following list of best practices is followed. These measures are strongly encouraged for all other virtual events as well. Those of you who work with student groups are encouraged to help them understand and implement these safeguards for their meetings and activities.

  • Ensure the meeting ID section is marked “generate automatically” for each session being hosted to avoid reusing the same number. Do not use a personal meeting ID (PMI) for special events.
  • Set a password for your meeting to prevent unanticipated guests from joining. When scheduling a meeting, under Meeting Options, select “require meeting password,” then specify a six-digit code. Participants will be asked to enter this code to join your meeting. Never post both the meeting ID and password together (or a URL combining both) on a public-facing website. Require your guests to register for the meeting, and only share the password with those identifiable individuals who have registered to attend.
  • Use the waiting room to control when participants join your meeting. As the meeting host, you can admit attendees individually or hold all attendees in the virtual waiting room and admit all when you are ready to begin. Admitting participants from the waiting room requires an additional step, but it provides increased control to allow participants to join the meeting when you accept them. Special events should also have multiple hosts, including one whose sole role is to manage the waiting room and be prepared to quickly eject participants who disrupt the meeting. In cases where breakout rooms are used, each breakout room should have one host minding the breakout room.
  • Disable the “join before host” functionality. When this is disabled, participants will see a pop-up dialog that says, “Please wait for the host to start this meeting.” If you are the host, there is a login button to log in and start the host meeting.
  • Limit screen sharing to the host. This restriction can help prevent intrusive sharing and potential meeting disruptions.
  • Consider requiring MyID authentication for your meeting. By default, anyone with the join link or meeting ID (and password) can join a meeting hosted by users on your account, even if they are not signed in to Zoom. To prevent unknown participants from entering the session, you have the option to restrict meeting participants to users who are signed in to Zoom. We are exploring enabling a new Zoom feature, by default, that would automatically assign non-MyID users to the waiting room. This setting will allow meeting hosts to be a gatekeeper and potentially prevent unknown users from entering the meeting.

The EITS Helpdesk and the IT staff in the university’s colleges and schools stand ready to support and assist you with enacting these best practices. If you ever have any questions about how to ensure your event or meeting occurs without disruption, please reach out for support by emailing the EITS Helpdesk.

Timothy M. Chester
Vice president for information technology