FBI follows Oxford academic's guide to beat the Zoom-bombers
It’s not every day that the FBI takes a close interest in a senior Oxford academic’s blog. But, then again, a million television programmes suggest maybe it is. Whatever the case, Professor Bill Dutton’s recent blog about the conferencing platform, Zoom, preceded a lively international debate – and interest from the Feds in his native US.
Ahead of the curve, Professor Dutton, who was a founding director of Oxford’s Internet Institute and is currently a senior fellow, wrote a blog with colleague, Arnau Erola, highlighting the potential problems and issues around video-conferencing: Zoom-bombing the Future of Education.
Since the beginning of the Covid-19 crisis, the highly-accessible provider, Zoom had gone from geek-obscurity to household name and in a matter of days the number of its users increased from 10 to 200 million, as people around the world tried to overcome social distancing to connect with colleagues, friends and students.
But, as Professor Dutton, who is also a fellow of the Global Cyber Security Capacity Centre (GCSCC) of Oxford’s Department of Computer Science, says, problems were not far behind: ‘It took about a week.’
With the increased use of Zoom and other platforms, came issues. In his blog, he wrote: ‘One particular challenge that has risen in prominence is efforts of malicious users to sabotage classrooms and discussions, such as by what has been called Zoom-bombing (Zoombombing). Some have defined it as ‘gate-crashing tactics during public video conference calls’ that often entail the ‘flooding of Zoom calls with disturbing images’.’
And, since the 26 March publication, the topic has hit the headlines in the UK and around the world, as ‘bombers’ have interrupted and disturbed video-conferencing events from Jewish religious services to corporate meetings, often with malicious intent. News stories have appeared, voicing concerns about the security and protection of video-conferencing. Blame has been levelled against key providers. But, many of the issues are actually related to the users moderating the conference, rather than the software, says Professor Dutton.
He maintains, there are numerous ways in which meetings and events can be safeguarded from malicious intent. He says: ‘There has been exaggerated coverage of the problems. It’s not usually a problem with the software. Many of these issues can be addressed by the moderator.’
It’s the job of the moderator to set up the meeting...Zoom is incredible, it’s brilliant technology
Professor Dutton adds: ‘It’s the job of the moderator to set up the meeting...Zoom is incredible, it’s brilliant technology.’
A main issue is the overnight success with new users, who are unfamiliar with the technology and failing to use the safety and security measures that are available. Professor Dutton maintains: ‘Part of the problem is that Covid-19 moved so many people online so quickly. Teachers and people with no background are using [this technology] because it is so simple. But it made them vulnerable to malicious intent [because they did not take the security measures that were available].’
But, says Professor Dutton, there are ‘all sorts of settings’ that could be used by the moderator [or organiser of the meeting], from using passwords, only accepting participants with known email addresses or invitations and control of visuals and audio. These can prevent unauthorised persons gaining access to private meetings and provide the safe space that organisers and legitimate participants seek. As well as commending guidance and training for novice staff, Professor Dutton made six key recommendations in his blog, aimed at ensuring safety:
- Authentication – limit the connection to specific users;
- Authorisation – restrict the technical facilities of participants, so they can’t disrupt or show offensive material;
- Monitoring – although a laborious process, participants should be reviewed to prevent gate-crashers;
- Moderation – participants’ activities can also be reviewed – particularly useful in an educational context;
- Policies – each institution using such technology needs to have set-down policies of acceptable and unacceptable behaviour;
- Procedures – anyone breaching the rules could lose authorisation or be dealt with using laid-down procedures.
Not long after the blog was published, the FBI launched its own recommendations – which are very similar to those from Professor Dutton’s team.
Not long after the blog was published, the FBI launched its own recommendations – which are very similar to those from Professor Dutton’s team
‘They pretty much aligned with our recommendations,’ he says, clearly amused.
With so much official and corporate business being conducted online, it is evidently a high-priority for the Bureau, which only yesterday threatened ‘zoom-bombers’ with ’jail time’.
Professor Dutton’s blog, meanwhile, saw particular problems for educators, he wrote: ‘It is clear that zoom-bombing has become an issue for schools and universities, threatening to undermine the vitality of their teaching and relationships with faculty, students, and alumni of their institutions.’
Reflecting on the need for security, he says: ‘It undermines the whole culture of education, which should be open and accommodating.’
The Professor points out that, in usual times, lectures can be open to any student. But these are not usual times and when setting up a class remotely, it will be necessary for the moderator to take steps which they would not otherwise consider. He recognises that this will not come naturally to all. Professor Dutton says: ‘Universities need to provide the resources for IT staff to brief academics and do some hand-holding.’
The University’s preferred video conferencing tool is Microsoft Teams but we have issued guidance to staff members on the usage of Zoom at https://www.infosec.ox.ac.uk/article/guidelines-for-using-zoom
The blog was written by Professor Dutton and Arnau Erola and was based on their discussions with Louise Axon, Mary Bispham, Patricia Esteve-Gonzalez, and Marcel Stolz