Episcopal Diocese of Washington

To draw people to Jesus and embody his love
for the world by equipping faith communities,
promoting spiritual growth, and striving for justice

Zoom Meetings Best Practices

Best Practices to Prevent Disruption or Hijacking of Online Meetings

Recent articles have been published referring to experiences by companies, schools, churches, and other groups, reporting disruptions in their use of using the Zoom videoconference system by pornographic and/or hate images or threatening language from one or more participants ("Zoombombing"). The FBI's Boston Office confirmed in a report in March of various incidents involving offensive behavior in meetings using Zoom. 
As a faith community we seek to provide a welcoming, accessible, and safe space for all, especially during these challenging times. These reports of hijacking or disruption of online meetings create a particularly difficult tension in navigating between seeking to make an easily accessible online space for prayer and fellowship available, while also protecting those participating from such disruptions. 
We should also be aware that it is not a vulnerability in the Zoom product that creates the conditions by which Zoombombing can occur, but the global popularity of the product and the online publishing of open meeting links that make it possible for anyone to join by simply clicking on a link. Publishing open meeting links online using any system could result in the same type of disruptive experience. In addition, the phenomenon currently being reported is specific to videoconference meetings, rather than online streaming on Facebook or YouTube.
The question on the minds of many is now what should we do when using Zoom to protect those in our online church meetings?
The following recommendations come from both Zoom and the FBI and are designed to be helpful in keeping your online parish meetings be safe for everyone participating. Note that these recommendations are designed for public meetings. These may not be needed for private meetings such as online staff meetings or parish committee meetings where a meeting link is shared privately (eg by email) with a very limited number of people.
  • Publishing Meeting Links Online: If using Zoom for online meetings (such as morning or evening prayer), avoid if possible publishing this link on your website or social media spaces. A safer practice is to make the link available to parishioners by letting them know through email or other direct means of communication. You can advertise the schedule of online meetings, but the guidance is to avoid sharing these links on the website and on social media. 
  • Meeting ID: If you do post a link publicly, avoid using your Zoom account Public Meeting ID (or PMI). This is a continuous and permanent meeting link address, so if you do use this, someone could join your meeting room anytime as the link is always the same. Learn more about Zoom Meeting ID.
  • Use Meeting Access Controls: In Zoom, there are several easy ways to control access to an online meeting space when setting up the meeting:
    • Password: (Note - this option will be enabled by default as of 4/5/20) Require that attendees have the password to join the meeting. This password is an option that can be set when creating a meeting in Zoom. This password can be shared with everyone who is invited to join the meeting. Zoom has now defaulted passwords to on by default for each new meeting. If a meeting link is shared publicly online, the password will need to be shared with parishioners and anyone else who may wish to join before the meeting. The password can be set and made simple and memorable so that it is easy to join.
    • Waiting Room:  (Note - this option will be enabled by default as of 4/5/20) Rather than allowing individuals to join the meeting automatically when clicking on the meeting link, you can use the Waiting Room feature, which will require that people seeking to join the meeting by video or by phone be admitted one by one or all together into the meeting room by the host. This enables some screening of participants' before they join. Here's a video from Zoom on managing Waiting Room.
  • Screen Sharing and File Transfers: Zoom also provides the host with controls over who can share their screen and what files may be transferred to others during the meeting. It is advised to limit or disable these for participants during public meetings.
    • Screen Sharing: In Zoom meetings, participants can share their screen to the meeting. This can be very useful for a private meeting (eg committee or staff meeting), but also comes with an increased risk for disruption. For public meetings, set screen sharing so that only the meeting host can share their screen. 
    • File Transfers: Zoom provides the capability for participant to transfer files to other participants through the Chat function. Again, this can be a useful feature, but is a means by which people have disrupted meetings. For public meetings, consider disabling file transfers for participants. Alternatively, limit file transfers to only certain types of files (eg Word files). For many prayer meetings, file transfers are not needed and can be safely disabled.
  • Other Features
    • Co-Host: A host can click on another participant/s to make them a co-host to provide assistance with managing the meeting, particularly in case of a disruption, muting and unmuting, recording a meeting, etc. 
    • Meeting On Hold: in the event of a meeting disruption, a meeting host can temporarily put the meeting on hold and remove a disruptive person from the meeting.
    • Remove a Participant: a disruptive participant can be quickly and easily removed by clicking on that individual and selecting Remove. 
    • Zoom Help: Zoom has an extensive and searchable help library on the Zoom.us website.
On April 1, Zoom published this message relating to Zoombombing. Also, Zoom has published an extensive list of available options to keep uninvited guests out of a meeting, although each parish will want to assess which features make sense for how you are using Zoom. 
In addition to the above, if your parish is a victim of a teleconference hijacking, or any cyber-crime, you may report it to the FBI’s Internet Crime Complaint Center at ic3.gov. Additionally, if you receive a specific threat during a teleconference, please report it to your local FBI field office.