Like many professors across the country who've been displaced from college campuses because of the coronavirus pandemic, Lance Gharavi suddenly found himself teaching his spring semester courses at Arizona State University online using the Zoom meeting platform. His first Zoom session for an approximately 150-student Introduction to Storytelling course went terribly wrong.
Right off the bat, he said, one of the participants used a Zoom feature that lets a user display an image or a video in the background in order to show a pornographic video.
“I didn’t notice it until a student on chat said something about it,” said Gharavi, an associate professor in ASU's School of Film, Dance and Theater. Participants were using fake screen names, some of which he said were very offensive. "The chat window became incredibly active. Most of the comments were not on topic. They were vulgar, racist, misogynistic toilet humor. I would barely even call it humor."
Gharavi was not alone. The University of Southern California reported similar incidents occurring while professors taught classes on the same platform, indicating that the massive migration of college classes online due to the public health crisis came with a new threat -- one that's technical rather than biological. The professors were the victims of "Zoombombing" -- the "Zoom" in this case being the online meeting and course-hosting platform, and the "bombs" typically taking the form of racist vitriol or pornographic content shared with the group by an unwelcome user.
Gharavi doesn't know if the disruptive participants were students behaving badly or hackers who infiltrated his virtual classroom. He hopes it was the latter, because he didn't want to believe his students would do such a thing.
"I tried to keep going with class, but I just had to end it early because I had no way of controlling what was happening. I wasn’t an expert enough at managing a Zoom meeting yet to control it, so I finally ended it because the atmosphere was hostile to my students," Gharavi said. "I spent the next day and a half researching methods of controlling a meeting on Zoom, trying to develop a set of tech fixes that would allow me to maintain tight control over what happens in a Zoom classroom."
He also sent out announcements to students over Canvas, a learning management system, apologizing for the "awful" intrusion.
"I got a lot of emails from students saying how upset they were, but they were all very supportive. They were like, 'this isn’t your fault,'" he said.
Gharavi said the entire incident left him shaken.
"I have never had a day as nightmarish as that in the classroom where I was completely unable to control what happened," he said. "And what happened was horrifying and potentially triggering to some of my students."
There are technological steps professors can take to prevent such attacks, but many, like Gharavi, are learning on the job about the privacy settings of the webcast platforms they're now using.
USC -- where President Carol L. Folt reported Tuesday that some online Zoom classes were "disrupted by people who used racist and vile language that interrupted lectures and learning" -- has created a website with tips for how to prevent Zoombombing.
Zoom has also published a blog post on steps to take to keep would-be crashers out of Zoom meetings. The blog post gives tips on controlling access to meetings and setting up password protections and managing participants' ability to share their screens, as well as information on other options for controlling participants' activities including disabling participants' video, muting participants, turning off file transfer and annotation options, or disabling private chat functions. The company also suggests trying its waiting room feature, which it describes as "a virtual staging area that stops your guests from joining until you’re ready for them."
A Zoom spokesperson said the company was "deeply upset" about the attacks.
"For those hosting large, public group meetings, we strongly encourage hosts to change their settings so that only they can share their screen," the spokesperson said. "For those hosting private meetings, password protections are on by default, and we recommend that users keep those protections on to prevent uninvited users from joining." The company encourages individuals to report incidents of this kind on its website.
Ruha Benjamin, an associate professor of African American studies at Princeton University and author of the book Race After Technology (Polity, 2019), has publicly called on Zoom to change its default setting to “off” for screen sharing to limit the potential for Zoombombing.
Benjamin made the call after a virtual storytelling event she did for children in collaboration with an independent bookstore in Princeton was targeted for a presumed Zoombombing attack. Benjamin said she was reading a children’s book called Walter the Farting Dog to a group of about 42 when someone in the Zoom meeting shared an image of “a chubby white guy in a thong with his genitals bulging.” Benjamin said the same user subsequently used the N-word several times, “so we knew it was a targeted, malicious thing.”
Benjamin said Zoom has a responsibility to change the default setting to disallow screen sharing by meeting participants unless the host of a meeting chooses to allow it.
“In the pre-virus era, I believe Zoom was mostly used in smaller groups within institutions,” she said. “Now that people are using it to sort of engender this broader sociality and connection beyond their immediate networks and beyond their immediate colleagues, I think Zoom has to adapt.”
Amelia Vance, the director of youth and education privacy and senior counsel at the Future of Privacy Forum, said webcast companies in general should consider ways in which individuals could abuse their product and “make sure you have set the defaults to minimize the possibility of abuse.”
“That’s not the way that online companies have really been set up,” Vance added. “As we’ve seen in reporting over the last couple years, many companies are set up to allow ease of access and broad information collection as default settings instead of thinking more completely about preventing harms or protecting privacy.”
Vance said professors who plan courses or other educational meetings in Zoom need to be “careful about how they’re planning out these meetings, double-checking that the people who are attending the class or the meeting are only the people who are supposed to be there, making sure that the default settings prior to the meeting starting are all privacy protective. And that’s just not something we’ve trained educators to do. This is all new.”
Allison Henry, chief information security officer at the University of California, Berkeley, said the most important piece of advice “is to familiarize yourself with what the settings are and what the options are. What you might need for a section of five students who may be known to you might be different than if you have a forum of 500 people.”
She said control over who comes into the meeting and retaining the ability to expel people from the meeting and allowing them back in are both important. She added that professors might consider designating a cohost, such as a student instructor, who could, for example, monitor the discussion in a chat box while the professor is preoccupied with presenting material.
“My biggest concern is we’ve had to rush these tools out the door so quickly because of the circumstances that it doesn’t really give people time to make themselves familiar,” Henry said. “We all need to take the time to go through it, to make sure we understand it and set up our meetings and our settings with intention.”
Brian Kelly, director of the cybersecurity program at Educause, an association focused on educational technology, agreed.
"We’re all trying to get the content of courses online, and some of the things might be simple awareness issues like making the Zoom invitation private versus public," he said.
"It's just now being used at a scale and in new ways," Kelly said of Zoom and other online meeting platforms. "A professor may not have used it to teach class; they may have used it with colleagues. It's new ways of using it that require taking a little bit more time and being a bit more thoughtful about how we’re configuring Zoom" and other similar programs.