How to Really Prevent Zoombombing
Balance between security and practicality, privacy and freedom
Earlier this week I was zoombombed: about 15 minutes into my public zoom meeting, a coordinated group of trolls suddenly entered and screen-shared gross pornographic images, and wrote chats that were very hateful and racist. Some of them even re-named themselves before writing their hateful chats… impersonating the innocent participants!
I couldn’t remove the trolls fast enough — there were too many of them.
“Resistance is futile.” — the Borg
After trying to figure out who were the trolls (since they had renamed themselves), all I could do was to end the meeting for everyone. It was the most traumatic few minutes I’d had in a long time.
I hope no one else has to experience this shocking and humiliating event, especially if you’re a meeting facilitator or speaker.
After thinking a lot about how to prevent this in the future, here are my thoughts:
First of all, it’s important to understand that the zoombombers are looking for easy free targets. They’re not trying to guess random zoom meeting ID’s, nor are they registering for paid events just to bomb and harrass people.
Therefore, I’m going to change nothing about my paid course meetings and private group meetings. As long as you tell the private participants to keep the zoom link private and not to share it, nobody does.
Private or paid zoom meetings are still safe.
The trolls are simply looking online for phrases like “public zoom” and they go there and do their virtual terrorism. Unfortunately, public zoom meetings are too easy to find! See for yourself: facebook events that have a zoom link. Within minutes, I can easily find several events that publicly list the Zoom meeting links. Ironically, even those that require a password also list their password.
So using a zoom password is out…
It’s an additional piece of information that attendees need (and that the host needs to remind attendees about) which creates unnecessary work for everyone. In other words, if you require a password, the attendees need to have it, which means any spammer can register and get the zoom link and password. So what’s the point?
Waiting Room is out…
…because you would have to occasionally stop yourself during the meeting to check the waiting room names against a list of registrants… unrealistic for solopreneurs like us who don’t have an assistant with us in the meeting. Plus, you are assuming that the names of registrants match the names of their zoom accounts, which I would estimate is not true about 10–20% of the time.
Locking a meeting is out…
…because then late attendees can’t join. And legitimate attendees who have to re-join the meeting due to internet issues would also be locked out.
(If there are only a few people who registered and you know exactly who they are, then using Waiting Room or Locking a Meeting are good options. However, realistically, people simply don’t share zoom links publicly if you tell them to keep it private. So using the Waiting Room or Lock Meeting features are really for your own psychological safety.)
What about restricting screen-sharing?
Restricting screen sharing to “host only” is unrealistic for hosts like me who often need attendees to share their screen so I can help them with technology. For those of you who rarely need attendees to share screen, go to your zoom settings and look for “Screen sharing” and make it Host Only.
While you’re in zoom settings, you might also turn off Annotation. It allows people to draw on the screen for everyone to see. I don’t know anyone who’s had to use that feature.
(Gray pill above signals that it’s off. Blue pill is “on”.)
Restricting attendees from renaming themselves?
…so that spammers can’t impersonate legitimate attendees? Here’s the problem — I find that about 10% of the time, legit attendees do need to rename themselves because they are using their spouse’s zoom account or they didn’t realize their account name says “iPhone” or whatever.
What about ditching zoom and using a more “secure” platform?
This doesn’t solve the real problem: if anyone can register for your free event, what prevents trolls from registering and bombing your event?
Really, the key is to keep out the trolls…
…not to escape to another tool, or to restrict the attendees’ freedom to engage with you and with each other. As long as everyone in the room is supposed to be there, that’s the best solution, whatever platform you use.
How did the zoombombers find and join my meeting? It was easy:
- I had the zoom link listed on my FB Public Event Page.
- I had the zoom link listed in the description of my FB Public Live Video.
…so it was easy to find it via one of these methods.
Going forward, I’ll choose one of these 2 options if I need to host a free public zoom meeting:
Selectively Invite, then Stream Publicly…
This option is simple: only invite a select group of people you already know would be good attendees. You’d like to offer them the opportunity to interact with you and with each other, on a publicly-streamed meeting.
This may simply be a few of your clients or fans. Just email them the Zoom link and mention that they should keep it private and never share the zoom link anywhere, to help maintain the privacy of attendees. If they all arrive on time, or once you know everyone is there, you can lock the meeting.
For a larger group of attendees, consider creating a free private Facebook Group where you allow in people that you’ve interacted with. Given that you trust the members of your FB group, you can then share the Zoom link in that group. Again, ask them to be careful never to share the Zoom link, and that people who want to join should connect with you personally first. This is a good option to build a community of fans that have the benefit of being able to join your occasional free Zoom meetings. (If you want to make the FB Group strictly a way to announce your Zoom meetings, set your group permission such that only you, the administrator, can post.)
Whether you use a small group or larger trusted group, you can reach more people with your content by streaming the zoom meeting via FB Live or Youtube Live.
Public Invitation, Vet Everyone…
This option is if you want lots of people to join… if you want to open up the Zoom meeting to everyone on your email list or social media audience, for example, but still be able to vet them based on their genuine interest.
If you just want lots of people experiencing your content, why not just do FB Live Videos or Youtube Live Videos? Why do you need to run a public Zoom meeting?
However, some of us do want to have that feeling of lots of people engaging together in real-time community…
If you need to interact with lots of vetted people in a Zoom meeting, here are my suggested steps:
- Require registration, probably easiest via Mailchimp (or other mailing list service that has landing pages).
- In the registration process, require that they answer an open-ended question stating why they’re interested in joining the event and ask them to answer thoughtfully, to help prevent spammers from accessing the event. You’ll be able to tell if someone is actually interested in the topic or is bluffing. The zoombombers aren’t going to go through the trouble to do all that, when there are many other easy targets. Also, make sure the registration process keeps private how many people will attend, because zoombombers obviously want larger events. Don’t ask too many questions in your registration form, because it becomes too overwhelming of a registration process and keeps people from experiencing your work. (You might include optional questions such as “Would you like to join my newsletter?” and “Is there a question you’d like to try to have answered on the call?”
- The confirmation page and confirmation email should not include the Zoom link… it should instead say that the Zoom link will be emailed to the accepted attendees 2 hours before the event.
- You should make clear that the event registration ends 4 hours before the event. (This will train your audience to be more conscious about your invitations!)
- Then schedule for yourself 3 hours before the event to vet the registration responses… and delete anyone whose responses seem suspicious… then email the zoom link to the remaining registrants, at least 2 hours beforehand. As mentioned above, you might want to use something like Mailchimp to take registration, so it’s easy to email them.
- Make it clear in the email to attendees that the zoom link should be kept private and not shared, to prevent spammers and to respect the privacy of attendees.
- After the event, you can email the recording to everyone who registered.
Optionally, if you want to do the work of vetting people as they register, you could email the suspicious people in advance to ask them for more info about their interest in your meeting. Mailchimp can automatically email you with each new registration, which includes their response to your question.
Again, the above is only necessary for PUBLIC FREE EVENTS.
For private group zooms, and paid zoom meetings, I’ve never in 10 years had any problems with random people nor trolls. I’m not going to restrict my attendees’ freedom to interact with me and with each other. Let’s not subdue community engagement with unnecessary fearful actions.
Let me know if this helps, and if any questions!