Protect Yourself From the COVID-19 Trolls

As we collectively try to survive a global pandemic, many businesses, nonprofits, and schools are moving work online. As the most remarkable and terrible event of our lifetimes unfolds, the focus of our collective attention has shifted almost exclusively to COVID-19. And unfortunately so has the focus of much of online harassment, phishing, and scams. The trolls are out in force, and they want your attention, money, dignity, and data. We must all act now to protect ourselves.

Zoombombing

Many organizations have adopted the video conferencing system Zoom for video meetings, lessons, and social gatherings. Zoom video conferences are held in meeting spaces called “Zoom rooms.” Each meeting space has a unique URL that lets a web browser or the Zoom app seamlessly join a particular conference room. As a huge new audience is adopting Zoom using default settings without a clear understanding of the privacy implications of each setting, Zoom room URLs get inadvertently published online for trolls to find. Trolls then join these meetings with the intent to infiltrate, observe, and disrupt these meetings. Today, disrupting a meeting by screen-sharing and exposing the audience to pornography happens so frequently we now have a name for it: Zoombombing.

  • Lock down who can join and how. Zoom security is a series of tradeoffs, and which tradeoffs to use depends on who is running your Zoom meetings, how information is shared with participants, and how big your meetings are. If you can securely communicate a password to attendees before the meeting, you can password protect meetings. If your host has the capacity to manage guests, you can enable the “waiting rooms” feature— this lets the host admit attendees one by one. You can also require that only authenticated users can join meetings, and require the use of the Zoom app to join a meeting, preventing cell phones from calling into Zoom rooms. Doing any of these helps. In particular, cell phone calls should be considered fundamentally insecure and easy to eavesdrop- if you let attendees call into Zoom meetings via cell phones, you should assume your meeting is functionally public.
  • Don’t ever make your Zoom meeting ID or room URL public. Your Zoom meeting ID is your private meeting space: treat it like your home address. Don’t put it on a publicly accessible website, don’t put it on a publicly shared calendar, don’t tweet it. Periodically try searching for your Zoom room URL to make sure it’s not easy for others to find without your knowledge and consent. If your meeting ID has been accidentally made public, or if you notice attendees you don’t know showing up to your meetings, update your meeting ID.
  • Consider privacy and surveillance. As the admin of a Zoom organization or the host of a meeting, you control the rules of engagement for your meeting audience. Get consent before recording anything, and carefully consider whether you should ever have features like Attendee Attention-Tracking or Remote Control enabled. Pay particular attention to the settings used in school meetings. Default to respecting attendee privacy.

COVID-19 Scams

While we all want to be able to do something about the pandemic, most of us can’t. Trolls exploit our focus on and anxiety around COVID-19 to trick us into giving away our credentials, data, and money.

Keeping Your Family Safe

As many Americans shift to working from home, many parents are attempting to homeschool kids or support kids in using online learning resources. Information security training company SANs has released a free toolkit for securely working from home and securing kids online:

Privacy In the Remote Work Era

As information workers, educators, and students are forced online, we are using hastily adopted systems and tools, and hastily entering into agreements that threaten our basic digital privacy. We need to know what data is collected based on our use of tools, and who owns this data.