The blogosphere lit up last week with news that a Florida state court bail hearing for an accused Twitter hacker had been disrupted by a pornographic Zoom-bomb that highjacked the proceedings and beamed sexual images onto viewers screens.  (Some coverage here and here, but don’t worry, no pictures.)  The seventeen-year-old defendant is accused of hacking into the accounts of prominent figures like Barack Obama, Jeff Bezos and Elon Musk, and posting messages soliciting Bitcoin donations.  He has pled not guilty. His lawyer was arguing to reduce his $750,000 bail when bombers took over the hearing with loud music and then raunchy pictures.

Since the COVID-19 pandemic ignited the online meeting boom, I’ve followed stories like this with special interest. First, my younger son is a cybersecurity engineer.  Avoiding his snark means trying extra hard to use good online hygiene.  But second, I attended a bar-association-sponsored webinar in April that was  bombed — and the experience was unpleasant.  Time seemed to stand still as the hacker first broadcast loud sounds, then took over the screen to scrawl images, and finally beamed in lewd photos, while the meeting organizer scrambled to oust the intruder.   The ironic subject matter of the webinar?  Best practices in organizing online meetings.

Real best practices

In the legal ethics course I teach at my alma mater as an adjunct prof, I tell my students that Model Rule 1.1, “Competence,” is the first rule in the rulebook for a reason:  executing perfectly on all of our other ethics duties doesn’t mean much if we don’t deliver competent services.  And as of this writing, some 38 jurisdictions have adopted into their own lawyer conduct rules comment [8] of Model Rule 1.1, which provides that “”to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…”  (The godfather of legal blogging, Bob Ambrogi, keeps a running tally over at LawSites.)

So what are some best practices to keep Zoom-bombing at bay?  The Florida hearing fiasco was likely not Zoom’s fault; the platform scurried to enhance security after becoming a go-to resource this spring, instituting fixes for early-identified security issues.  But knowing your way around any platform’s security features and actually using them — or delegating that task to someone competent to do it for you — is the key to carrying out your duty of competence in this brave new world.

Here are some security tips that the sadder-but-wiser organizer provided after the hacked meeting I attended:

  • Require registration and require the host to approve all the registrations manually.  Allowing automatic registration approval can let phantom and pretextual users.
  • Close registrations after the meeting begins.  (There’s a check-box for that when you set up the meeting.)
  • Set the meeting to NOT allow anyone to share a screen unless the host gives specific permission.
  • Ditto for allowing people to annotate a shared screen — require host permission.
  • Set the meeting to NOT allow participants to chat with the entire group, but only hosts and co-hosts.  If you are hosting, plan to moderate the chat.

In addition, you should ensure you are running the most current version of the on-line platform you’ve chosen (Duh), and if you are using Zoom and inviting the public, consider using a webinar format, rather than a meeting format.  Here’s a link to Zoom’s security page, but despite Zoom’s uber-popularity there are of course other providers with their own security measures and tips.

Bottom line:  Be smart, be competent, and don’t get bombed.