Zoom is making drastic changes to avoid widespread abuse as trolls attack publicly shared video calls. From April 5, passwords will be required to enter calls via Meeting ID, as these can be guessed or reused. Meanwhile, it will change virtual waiting rooms to be activated by default, so hosts must manually admit attendees.
The changes could prevent “Zoombombing”, a term I coined two weeks ago to describe malicious actors entering Zoom calls and disrupting them by sharing the content of offensive images. New Zoombombing tactics have emerged, such as spamming the thread with awful GIFs, using virtual backgrounds to spread hateful messages, or just shouting curses and insults. Anonymous forums have now become fertile ground for organized trolling efforts to descend.
The FBI issued a warning about the Zoombombing problem after online courses for children, anonymous meetings with alcoholics and private calls were invaded by trolls. Security researchers have revealed many ways attackers can infiltrate a call.
The problems stem from the fact that Zoom was designed for trusted business use cases rather than cocktails, yoga classes, panel discussions, and classes. But as Zoom struggles to scale its infrastructure, with the number of daily users increasing from 10 million to 200 million in the past month due to orders for on-site shelters against coronaviruses, it has found itself caught off guard.
Zoom CEO Eric Yuan apologized for the security failures this week and promised changes. But at the time, the company had simply stated that it would not only screen share for the host and keep the waiting rooms for its K-12 education users. Obviously, he determined that this was not enough, so now waiting rooms are on by default for everyone.
Zoom communicated the changes to users via an email sent this afternoon explaining “We have chosen to enable passwords during your meetings and enable default waiting rooms as enhancements additional security to protect your privacy. “
The company also explained that “for scheduled meetings, the meeting password is in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting participation URL. ” Some other precautions that users can take include disabling file transfer, screen sharing, or return by deleted attendees.
The change could cause annoyance to users. Hosts will be distracted by having to approve participants outside the waiting room while they try to direct calls. Zoom recommends that users resend invitations with passwords attached for meeting ID-based calls scheduled after April 5. Scrambling to find passwords could make people late for calls.
But it’s a reasonable price to pay to keep people from being scarred by Zoombombing attacks. The trolling eruption threatened to spoil many people’s early experiences with the video chat platform, just as it had its breakthrough moment. A single call spoiled by disturbing pornography can leave a stronger impression than 100 peaceful calls with friends and colleagues. The old parameters made sense when it was just a business product, but they had to adopt their own change of identity, because it was becoming a fundamental utility for everyone.
Technologists will need to develop better to anticipate the worst scenarios as their products become more widespread and are adapted to new use cases. To assume that everyone will have the best of intentions ignores the reality of human nature. There is always someone who seeks profit, power or chaos, even at the slightest opportunity. Building development teams that include skeptics and realists, rather than mere visionary idealists, could ensure that products are protected from abuse before rather than after the scandal.