“Zoom bombing” plagues LGBT organizations, virtual safe spaces

by Renee Raketty

Zoom and virtual meeting platforms have become a necessity in a COVID-19 reality because life doesn’t stop – even in a global pandemic. I have several of these apps on my phone, including Zoom and GoToMeeting – even Facebook has gotten in on the video conferencing bandwagon with it’s “Messenger Rooms” feature.

However, the one thing all of these have in common is they can be hard to protect against intrusion from unwanted guests.

On June 27th, I discovered for myself how easily virtual “safe spaces” for the Lesbian, Gay, Bisexual and Transgender community can become anything but “safe” while participating in a Seattle Trans Pride workshop, titled: “Community Pillars: Tea Time with Trans Leaders.” The workshop was one of many offered as part of the virtual Seattle Trans Pride event.

“During our presentations there was a verbal, abusive, attack,” recounted Marsha Botzer, a panel participant. “I have been on other calls with other& community organizations when the attacks included visual abuse. I am sad and a little fearful when this happens, especially when my beloved colleagues and our visitors are there and we are all working together.”

The workshop moderators were forced to close the virtual room to new entrants and the panel could not be extended. It was later learned that the link to the workshop had been posted to Twitter from which anti-LGBT individuals came to attack. Botzer stated that this incident gave her “renewed energy” and “resolve” to continue doing her work.

“The attackers will not win, they will not break us,” she said. “Their acts also demean and distrust their own humanity and that is a way of being that can not succeed.”

The Seattle Gay News heard anecdotally from other LGBT organizations that this type of event, often referred to as “Zoom bombing” or “hacking” is all too common. However, many declined to be interviewed.

Lisha Sterling, Executive Director of Geeks Without Bounds, spoke with the SGN this week about the issue. Her Washington state based nonprofit supports humanitarian open source technology through education and direct technical support. They assisted with tech at Standing Rock; helped build public water infrastructure tools in Tanzania and Uganda; and worked on gender-based violence prevention in India. They also built software for Baltimore Public Health and the American Red Cross. Therefore, Sterling had no problem explaining “Zoom bombing.”

“If a link has been shared publicly with no password set or the password is published with the link, that is the most common way that people get into these meetings,” said Sterling. “The second [most] common way is that someone just ‘fuzzes’ the link. That’s when you change characters in the part of the link that identifies the individual meeting& So you change the digits one by one, until you show up in a room full of people.”

On Tuesday, a Zoom meeting created for Seattle Public Schools LGBTQIA+ students, families and educators – which featured School Board Director Zachary DeWolf and was hosted by the Seattle Parent Teacher Student Association – was the victim of an attack. The participants included elementary aged children who were subjected to words such as “N*gg*r” and “F*gg*t.” An individual also said that there were only two genders, male and female, as a Transgender student spoke. In addition, someone typed “Nobody likes f*gg*ts” in the group chat.

DeWolf ended the call early and told participants that he would reschedule the Zoom call for a later date. On his Facebook page, DeWolf apologized for what had occurred. “Tonight, our community call was cut short because bigots spewed vitriolic, transphobic, and racist language toward students and families helping inform our work at Seattle Public Schools,” he wrote. “The safety of students on the call was paramount. I condemn the use of that language in Seattle Public Schools.”

DeWolf added a message for the LGBT students that may have been affected: “To our young LGBTQIA+ folks, you are loved, worthy, valued, and you matter – no harmful language like that can diminish your light and your power. Be proud of who you are because I know I am.”

Sterling said that, more often than not, bias and harassment appears to be the goal. “I don’t have statistics on it but, anecdotally, it seems that hate is the number one reason behind this type of ‘hacking’,” she said. “And by ‘hate’ I am including the sort of immature pranks where the perpetrators would say: We don’t actually believe those things. We just thought it was funny!”

It’s a problem that affects organizations both big and small, according to Sterling. No one is immune. “People are having to learn how to navigate the security issues quickly and, if they’ve never experienced online abuse themselves in the past, they may not even realize it’s a thing they need to worry about,” she said. “The first time many organizations realize that they need to put security measures [in place] is often when they have an incident…”

Krystal Marx, the Executive Director of Seattle Out and Proud, said that her group spent a lot of time coordinating their Seattle Pride component of the virtual Together for Pride events. “All of our content was loaded securely into our app and on a private, unlisted, YouTube channel,” she said. “In addition to employing a ‘one strike rule’ that stated a participant would be removed, without warning, if they were found to be posting harassing, threatening, homophobic, transphobic, racist and/or ableist remarks, all three organizations responsible for the Together for Pride virtual event dedicated volunteers to monitor live streams and chat rooms for these types of comments. We also made sure registration was a requirement to access most of the features.”

Sterling said that taking precautions is key. She shared a few tips for holding a successful virtual meeting:

o Use a password that gets shared separately from the link to the call and/or use the waiting room feature and have a moderator allow people in to the main meeting.

o For a public meeting, make sure that everyone – except the moderator – is muted and only allow the moderator can unmute participants.

o Make sure that file transfer is turned off in public meetings and that only the moderator can share their screen.

o If you are doing a webinar where there will only be questions from the audience, another tool may be preferable. YouTube live, for example, allows you to have several people who are invited in by the moderator of a panel and, then, have the audience ask questions through text chat.

Be proactive, suggested Sterling, before your next virtual meeting. “If you’re not the organizer, you probably don’t have control of much, so it can be scary,” she said. “I would say that you should talk to the organizers of the meeting and ask them to be clear about what they are doing to avoid a “meeting bombing.”

Marx agreed that the responsibility for participant safety is with the event organizer. “Just as we hire additional security for our in-person events, I believe it is crucial to maintain a safe virtual environment for our participants as well,” she said. “Whether LGBTQIA+ or ally, we know that Pride events hold an almost sacred element to them; these are places where we remember those who have lost their lives due to homophobic or transphobic or racist attacks, those who lost their battle with HIV/AIDS, and those who have dedicated their entire lives to fighting for equal rights for our LGBTQIA+ community. As such, it is our duty to ensure that participants are able to engage authentically and without great concern of being harassed or targeted.”

Until there is a vaccine for COVID-19, the need for virtual meetings will continue. That poses challenges for small smaller nonprofit organizations. Breanna Bry Kellar, President of the Washington Gender Alliance (WGA) and it’s parent organization the Pacific Gender Institute, said all of its work has moved online. The WGA operates support groups in Bellingham, Everett, Skagit County and Shoreline. They also provide resource referrals but have had to cut back on expansion plans due to the pandemic.

“It’s apparent we are going to have to change how we operate in the long term with COVID-19 now being a long-term issue,” said Keller. “We’ve pretty much been reduced to online options for getting those we already know together and some very limited crisis services, again to those we already know.

“Online security is a huge part of that. We just don’t seem to have the expertise in our group to truly be sure we are doing all we can. Our current response is to stop until we do. That will really just stop some LGBT people from getting the help they need.” The SGN spoke with a privacy and data security legal expert to find out what can be done to discourage “bombing” or “hacking” of virtual meetings.

“Unfortunately, in the world we live in, there are a lot of rotten people out there who – for whatever reason – feel the need to engage in this behavior,” said Mike Hintze, an instructor of privacy law at the University of Washington Law School and a partner at Hintze Law, a privacy and data security boutique law firm in Seattle. “It could, for sure, [be illegal] depending on the circumstances.”

Hintze outlined three ways that the behavior may be unlawful. First, there are both federal and Washington state laws that prohibit unauthorized hacking of a computer or online system. “There is a federal law and a number of states have equivalents called the Computer Fraud and Abuse Act.” he said. “It is basically a law that is designed to prevent hacking – computer trespass. It prohibits a person from gaining unauthorized access to a computer or online system. The factual question comes down to – Is it unauthorized? That is not as straightforward as it might sound.

“For example… if someone had posted the information about the call publicly and someone – using Google search – happened to find it – even if they weren’t the intended audience for the call – that would probably not rise to the level of being unauthorized because there really was no serious effort made to prevent people from joining. If someone had the invitation forwarded to them by someone who had been invited, that probably also wouldn’t rise to that level.

“If they broke into it through true hacking, they broke into a system and got the information – cracked the password somehow – got into it through that kind of method; it probably would raise to the level of being unauthorized. That could be a violation of that federal law.”

Second, recording a virtual meeting may run afoul of the law. “Another area where it could be an illegal context would be if they got in and they recorded it,” said Hintze. “Many states have requirements that all participants in a conversation have to agree to a recording for it to be recorded. If someone came in that was unauthorized and recorded the call in some way, that could potentially be a violation of the wiretapping law.”

A third way a “bombing’ or “hacking” might be illegal was if it violated state law prohibiting harassment and cyberbullying. “The laws around cyber harassment and cyberbullying – those are state by state,” said Hintze. “There are not strong federal laws in that area – but there are certainly laws, particularly to protect children. Depending on the nature of the ‘bombing’ and the things that are said – how targeted it is and whether they’re the kind of threats that someone could be made good on – it certainly could violate those laws.”

Hintze offered some advice for conducting virtual meetings and responding to incidents:

o Make the invitation very clear about who is invited and who is not because that can help bolster the argument that someone was not invited and was unauthorized under the Computer Abuse Fraud and Abuse Act.

o Reporting it to law enforcement and the state Attorney General’s Office is an important step to help to build a case, particularly for repeat offenders.

o Utilize privacy settings to configure the meeting and manage the meeting proactively to strengthen the legal claim that someone does engage in unlawful activity.

o Keep records of “hacking” when it happens. Document their names, phone numbers and statements.

Hintze advised that call moderators be “diligent” about taking the necessary steps but added that all too often perpetrators go free. “They may very likely be anonymous and try to maintain their anonymity,” he said. “So, reporting it to law enforcement – getting law enforcement or someone else to figure out who was actually doing this and tracking that down; that may be hard or impossible in some cases.”

Sterling noted that other virtual meeting platforms, such as Big Blue Button, has many safety features built-in and can be run in a browser – eliminating the need to download software or apps. Additional Zoom resources can be found online at: support.zoom.us

Leave a Reply

Your email address will not be published. Required fields are marked *