How to block ‘Zoom bombing’ and protect student privacy online

Use passwords and other strategies to defend against online class hackers
By: | April 7, 2020
To stop Zoom bombing from invading online classes, teachers and schools can require passwords for each session, guard meeting URLs and restrict screen sharing. (Gabriel Benois/Unsplash)To stop Zoom bombing from invading online classes, teachers and schools can require passwords for each session, guard meeting URLs and restrict screen sharing. (Gabriel Benois/Unsplash)

Online classes at several schools have been invaded by “Zoom bombing,” an ugly new activity in which hackers disrupt virtual sessions to display pornography, racism and other disturbing images.

These cyberattacks late last week drove one middle school in Palm Beach County, Florida, to temporarily halt all live classes, The Palm Beach Post reported.

In Utah, hackers took over an elementary school session of about 40 students, and “flashed” pornographic photos, The Salt Lake Tribune reported.

In Massachusetts, a hacker interrupted a school Zoom meeting to display swastika tattoos and, in another incident, trolls yelled profanity and shouted the teacher’s home address when they infiltrated a high school Zoom session, the FBI reported.

More from DA: Don’t worry about too much screen time, one expert says

The threatening actions taken by Zoom-bombers “appear to be an organized effort among right-wing hate groups and similar dangerous actors,” says Leah Plunkett, an associate dean and associate professor at the University of New Hampshire’s Franklin Pierce School of Law.

Leah Plunkett

Leah Plunkett

“It is possible that a school could face legal consequences for conducting a virtual classroom in which attackers display pornographic, racist, or other hateful content and words to students,” says Plunkett, who is also a faculty associate at the Berkman Klein Center for Internet & Society at Harvard University.

At least two state attorneys general are now investigating Zoom’s privacy practices to understand fully how the break-ins are occurring while some K-12 schools and other institutions are banning Zoom to safeguard students, Plunkett says.

To block the attacks, instructors should:

  • Set a password for every Zoom session.
  • Use meeting settings to prohibit screen-sharing by anyone other than the instructor hosting the meeting.
  • Turn off video for participants upon entry.
  • Lock the meeting right after it starts to ensure that only authorized participants are in and remain in.

More from DAHow schools are rethinking online grading

After the Zoom bombings in Massachusetts, the FBI Boston office also released some tips for shutting out hackers. It recommended:

  • Do not make meetings public by requiring a password or using the waiting room feature to control the admittance of guests
  • Do not share a link to a teleconference or classroom on publicly available social media post. Provide the link directly to invited participants.
  • Ensure users are using the updated version of remote access/meeting applications.

Protecting student privacy online

Along with Zoom bombing, protecting student privacy is another major cybersecurity concern that educators face in the switch to online learning.

Guidance on student privacy

Best practices for ensuring online safety are available from several organizations, including:

“Privacy with educational technology has been a longstanding challenge, and we’re at a point that it is now becoming an existential need for schools to be able to function,” Plunkett says.

During the quick shift to online classes, educators should be wary of adopting new learning software that hasn’t yet been vetted by district technologists or legal counsel.

That’s because the user agreement a teacher may be tempted to click to accept probably doesn’t offer adequate protection of students’ personal information, and it might not comply with FERPA and other privacy laws, Plunkett says.

At the same time, many administrators want teachers to be innovative by finding new ed tech tools for online learning.

To support teachers, district leaders should tap their IT teams or legal advisors to centralize the process of selecting and vetting the privacy components of new software.

More from DA: How to get students online without MiFi hotspots

“Don’t just let the floodgates open,” Plunkett says. “You can say to teachers, ‘Do whatever’s best for your class, but you have to do it through an approved platform.'”

Districts should also provide students and parents with a set of student privacy best practices, such as turning and not recording video during online class sessions.

“Student privacy laws are challenging even for legal experts,” Plunkett says. “And in a time of crisis, it’s not realistic to expect teachers to become the experts. Put some guardrails in place—frontline classroom teachers are going to be looking for resources and you don’t want to have them inadvertently use a resource that is not privacy protected.”

DA’s coronavirus page offers complete coverage of the impacts on K-12.

Interested in edtech? Keep up with DA's Future of Education Technology Conference®.