As we collectively try to survive a global pandemic, many businesses, nonprofits, and schools are moving work online. As the most remarkable and terrible event of our lifetimes unfolds, the focus of our collective attention has shifted almost exclusively to COVID-19. And unfortunately so has the focus of much of online harassment, phishing, and scams. The trolls are out in force, and they want your attention, money, dignity, and data. We must all act now to protect ourselves.
Many organizations have adopted the video conferencing system Zoom for video meetings, lessons, and social gatherings. Zoom video conferences are held in meeting spaces called “Zoom rooms.” Each meeting space has a unique URL that lets a web browser or the Zoom app seamlessly join a particular conference room. As a huge new audience is adopting Zoom using default settings without a clear understanding of the privacy implications of each setting, Zoom room URLs get inadvertently published online for trolls to find. Trolls then join these meetings with the intent to infiltrate, observe, and disrupt these meetings. Today, disrupting a meeting by screen-sharing and exposing the audience to pornography happens so frequently we now have a name for it: Zoombombing.
There are many ways to protect yourself from Zoombombing:
- Limit what attendees can do. The most important step to take to protect against Zoombombing is to disable the ability for non-host attendees to screen-share. I also recommend disabling the ability for attendees to save Zoom chat, record the Zoom meeting, and to carefully consider whether your meeting needs private chat. A good rule of thumb is assume every enabled feature will be exploited somehow by a troll.
- Lock down who can join and how. Zoom security is a series of tradeoffs, and which tradeoffs to use depends on who is running your Zoom meetings, how information is shared with participants, and how big your meetings are. If you can securely communicate a password to attendees before the meeting, you can password protect meetings. If your host has the capacity to manage guests, you can enable the “waiting rooms” feature— this lets the host admit attendees one by one. You can also require that only authenticated users can join meetings, and require the use of the Zoom app to join a meeting, preventing cell phones from calling into Zoom rooms. Doing any of these helps. In particular, cell phone calls should be considered fundamentally insecure and easy to eavesdrop- if you let attendees call into Zoom meetings via cell phones, you should assume your meeting is functionally public.
- Don’t ever make your Zoom meeting ID or room URL public. Your Zoom meeting ID is your private meeting space: treat it like your home address. Don’t put it on a publicly accessible website, don’t put it on a publicly shared calendar, don’t tweet it. Periodically try searching for your Zoom room URL to make sure it’s not easy for others to find without your knowledge and consent. If your meeting ID has been accidentally made public, or if you notice attendees you don’t know showing up to your meetings, update your meeting ID.
- Consider privacy and surveillance. As the admin of a Zoom organization or the host of a meeting, you control the rules of engagement for your meeting audience. Get consent before recording anything, and carefully consider whether you should ever have features like Attendee Attention-Tracking or Remote Control enabled. Pay particular attention to the settings used in school meetings. Default to respecting attendee privacy.
While we all want to be able to do something about the pandemic, most of us can’t. Trolls exploit our focus on and anxiety around COVID-19 to trick us into giving away our credentials, data, and money.
Here’s a round-up of scams to watch out for:
- Fake COVID-19 maps that deliver malware that lets attackers access your computer
- Fake COVID-19 map wordpress plugins that deliver malware that lets attackers take over your website
- Phishing emails impersonating the chief of the WHO
- Fake vaccine offers
- Fake work-from-home scams (this one is actually money laundering)
- Fake offers of free Netflix
- Fake cures, and even fake COVID-19 tax rebates
Expect new scams every day. So many thousands of malicious coronavirus-themed web sites being set up per day, domain registrar Namecheap has blocked registration of domains with ‘coronavirus’ and ‘vaccine’ in the name. When it comes to COVID-19, if it sounds too good to be true, it probably is.
Keeping Your Family Safe
As many Americans shift to working from home, many parents are attempting to homeschool kids or support kids in using online learning resources. Information security training company SANs has released a free toolkit for securely working from home and securing kids online:
- Securely working from home
- Securing kids online (3min summary video)
- Securing kids online (60min training video)
- How to talk to your kids about staying safe online
Ask your teachers and school administrators to share or describe the settings in use for video conferencing tools and online learning portals your children will interact with. What data is captured? Who can enter collaboration spaces? When can audio and video be recorded? You have a right to know what a person with administrator access to a system your child us using can do with this access.
Privacy In the Remote Work Era
As information workers, educators, and students are forced online, we are using hastily adopted systems and tools, and hastily entering into agreements that threaten our basic digital privacy. We need to know what data is collected based on our use of tools, and who owns this data.
Beware “free.” The old saying holds: “When something online is free, you’re not the customer, you’re the product.” We’ve gotten very used to free tools like Facebook that provide us with social connection and also harvest, mine, aggregate, and sell access to our personal information and engagement data.
With most online communication and collaboration tools, it’s consider a “feature” to be able to control what data is stored and for how long- a feature usually only available in the paid version. For example, the free version of Slack stores your message data forever.
Beware surveillance for the supposed greater good. “Natural and human disasters typically redraw the lines between civil liberties and security.” As the US struggles to control and contain COVID-19, we should not agree to location surveillance or face surveillance in any population level disease control solution, and certainly never deem it acceptable in online learning systems for our children. Privacy intrusions of any kind must be necessary and proportionate. Many other countries are rolling out pervasive digital surveillance in response to COVID-19. Will the US follow suit? Perhaps there’s a small silver lining in the the Trump administrations’ ethnocentric desire to ignore the advice of our allies and go our own way.